On Sat, Jul 25, 2009 at 9:23 PM, Jason Dixon<ja...@dixongroup.net> wrote:
> On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote:
>> Hello OpenBSD-misc,
>>
>> I have a newbie question in pf that Ive been trying to debug on what would
>> be wrong with my ruleset. Iam trying to have the users that are on $int_if
>> only have ports 80 & 52 opened out, and users on $int_if be able to have
>> less restrictions and more ports out. So far I have something like this
but
>> it isnt working:
>
> Allow me to be the first to say "RTFAQ".
>
>> ext_if = "re1"
>> int_if = "re0"
>> int_if2 = "re2"
>>
>>
>> set skip on lo
>>
>> scrub in
>>
>> nat on re1 from re0:network to any -> re1
>> nat on re1 from re2:network to any -> re1
>>
>> block all
>> pass quick on $ext_if // I have added this so that the firewall itself has
>> full internet access
>> #pass in quick on $int_if
>
> Here you're blocking all by default (inbound and outbound on all
> interfaces), but then you immediately "pass quick" (outbound *and*
> inbound) on your external interface. B Very wrong.
>
>> pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to
any
>> \
>> B B B port 53 keep state
>>
>> pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \
>> B B B port 80 keep state
>
> Here you're passing outbound on your external interface for DNS and http
> traffic. B But a) you've already allowed everything on $ext_if so this is
> unnecessary, and b) you've never allowed any traffic from your internal
> interfaces.
>
> Honestly, I don't know *what* you're trying to accomplish because your
> description doesn't match anything in your ruleset. B Perhaps you can
> describe again what you're trying to do and what the differences are
> supposed to be between $int_if and $int_if2.
I think he has a few typos in his email that cause confusion. I think
what he wants is something like the following, which is not tested,
and I know this is a copout, but I'm tired and should not be doing
this:
/----------------------------------------------------------------------------
--\
ext_if = "re1"
int_if = "re0" # only ports 53 and 80 allowed out
int_if2 = "re2" # no restrictions on outbound traffic
set skip on lo
match in all scrub (no-df) # XXX
# XXX I do not use NAT so leaving this to the experts
nat on re1 from re0:network to any -> re1
nat on re1 from re2:network to any -> re1
block all
pass out
pass in on $int_if2
pass in log on $int_if inet proto { tcp, udp } from any to any port { 53, 80
}
\----------------------------------------------------------------------------
--/
He may need finer control over who from $int_if2 is allowed access to
the firewall.
--patrick
