On Sat, Jul 25, 2009 at 9:23 PM, Jason Dixon<ja...@dixongroup.net> wrote: > On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote: >> Hello OpenBSD-misc, >> >> I have a newbie question in pf that Ive been trying to debug on what would >> be wrong with my ruleset. Iam trying to have the users that are on $int_if >> only have ports 80 & 52 opened out, and users on $int_if be able to have >> less restrictions and more ports out. So far I have something like this but >> it isnt working: > > Allow me to be the first to say "RTFAQ". > >> ext_if = "re1" >> int_if = "re0" >> int_if2 = "re2" >> >> >> set skip on lo >> >> scrub in >> >> nat on re1 from re0:network to any -> re1 >> nat on re1 from re2:network to any -> re1 >> >> block all >> pass quick on $ext_if // I have added this so that the firewall itself has >> full internet access >> #pass in quick on $int_if > > Here you're blocking all by default (inbound and outbound on all > interfaces), but then you immediately "pass quick" (outbound *and* > inbound) on your external interface. B Very wrong. > >> pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any >> \ >> B B B port 53 keep state >> >> pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \ >> B B B port 80 keep state > > Here you're passing outbound on your external interface for DNS and http > traffic. B But a) you've already allowed everything on $ext_if so this is > unnecessary, and b) you've never allowed any traffic from your internal > interfaces. > > Honestly, I don't know *what* you're trying to accomplish because your > description doesn't match anything in your ruleset. B Perhaps you can > describe again what you're trying to do and what the differences are > supposed to be between $int_if and $int_if2.
I think he has a few typos in his email that cause confusion. I think what he wants is something like the following, which is not tested, and I know this is a copout, but I'm tired and should not be doing this: /---------------------------------------------------------------------------- --\ ext_if = "re1" int_if = "re0" # only ports 53 and 80 allowed out int_if2 = "re2" # no restrictions on outbound traffic set skip on lo match in all scrub (no-df) # XXX # XXX I do not use NAT so leaving this to the experts nat on re1 from re0:network to any -> re1 nat on re1 from re2:network to any -> re1 block all pass out pass in on $int_if2 pass in log on $int_if inet proto { tcp, udp } from any to any port { 53, 80 } \---------------------------------------------------------------------------- --/ He may need finer control over who from $int_if2 is allowed access to the firewall. --patrick