On Sun, 9 May 2010 02:47:15 +0300, Jussi Peltola wrote:
> On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
> > Hello,
> >
> > I have the following network configuration:
> >
> > $ext_if -- wired interface, connected to my ISP's network, with a
> > real IP address, visible from the Intertubes.
> >
> > $int_if -- wired interface, to which comps on my home LAN are
> > connected
> >
> > $wifi_if -- wifi interface, working in host ap mode, free-for-all
> >
> > I've set up two NATs so that comps on $int_if:network and
> > $wifi_if:network could access the Intertubes.
> >
> > Now I want the following:
> > so that comps from $int_if:network could access $wifi_if:network
> > (say, ssh to comps over there) but not vice versa.
> >
> > How do I do this?
> >
> > Everything I try either ends up blocking all traffic or allowing
> > traffic both initiated from $int_if:network to $wifi_if:network and
> > vice versa in a strange way: only every second response gets to
> > destination, i.e. I see ping like:
> > seq_num: 2
> > seq_num: 4
> > ...etc
> >
> > Here's my current config file (with many failed attempts commented
> > out), system is 4.5:
> >
> > #
> > # See pf.conf(5) for syntax and examples; this sample ruleset uses
> > # require-order to permit mixing of NAT/RDR and filter rules.
> > # Remember to set net.inet.ip.forwarding=1 and/or
> > # net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to
> > # be forwarded between interfaces.
> >
> > ext_if='fxp0'
> > int_if='sis0'
> > wifi_if='ral0'
> >
> > # Limit speed on wifi_if to 2 megabits
> > #altq on $wifi_if cbq bandwidth 2Mb queue std
> > #queue std bandwidth 100% cbq(default)
> >
> > # block return in all
> > # block return out all
> >
> > set require-order no
> >
> > set skip on lo
> > scrub in
> >
> > # NAT
> > nat on $ext_if from $int_if:network to any -> $ext_if
> > nat on $ext_if from $wifi_if:network to any -> $ext_if
> >
> > # NAT/filter rules and anchors for ftp-proxy(8)
> > #nat-anchor "ftp-proxy/*"
> > #rdr-anchor "ftp-proxy/*"
> > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
> > #anchor "ftp-proxy/*"
> > #pass out proto tcp from $proxy to any port ftp
> >
> > # Filter for $ext_if
> > block return in on $ext_if
> > pass in on $ext_if proto tcp from any to any port { www, 222 }
>
> this is unnecessarily broad. to $ext_if would be adequate.
>
> To do what you want to do, I'd write something like the following:
>
> set block-policy return
>
> antispoof quick for { $int_if, $wifi_if, $ext_if }
>
> block all
>
> pass out on $ext_if
> pass out on $wifi_if proto tcp from $int_if:network to
> $wifi_if:network port ssh pass in on $ext_if proto tcp to $ext_if
> port { www, 222 } pass in on $int_if
> pass in on $wifi_if
>
Worked like a charm, thanks!
