let me give you an example, if you just want 10.10.0.0/16 to have port 80 access then you need 3 rules:
#the nat nat on $ext_if from 10.10.0.0/16 to any port 80 -> ($ext_if) #allow through $int_if pass in quick on $int_if proto tcp from 10.10.0.0/16 to any port 80 #and finally allow through $ext_if pass out quick on $ext_if proto tcp from ($ext_if) to any You can lock $ext_if down to just port 80 but the point is $int_if is where you do the filtering for 10.10.0.0/16 Correct me if I am wrong. Regards, Charlie On Wed, 15 Oct 2008 14:44:43 -0300, "Ricardo Augusto de Souza" <[EMAIL PROTECTED]> wrote: > Is is possible filter outgoing packets in $ext_if even doing NAT? > I mean, after nat on $ext_if from 10.10.0.0/16 to any -> ($ext_if) all > packets from 10.10.0.0/16 will be translated to $ext_if. > I wish I could filter 10.10.0.0/16 packets in $ext_if. > > Is is possible? > > Thanks > -----Mensagem original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de > Ricardo Augusto de Souza > Enviada em: quarta-feira, 15 de outubro de 2008 13:01 > Para: misc@openbsd.org > Assunto: Filtering outgoing connections in pf > > Hi, > > > > I AM confused with some PF rules. > > I am trying to allow just some ports to my local users. > > I am using block out on $ext_if but I think I would be able to choose > ports my lan users will access with rule > > Pass out on $ext_if proto tcp from 10.10.0.0/16 to any port { 80, 25, > 110 } keep state . > > > > It seems to be ok, but I had to add this rule: Pass out on $ext_if from > $ext_if to any ( without this rule my box cannot connect to the > internet ). With this rule, All users can connect to any out port. > > > > Question: What is the right way to have my box at the internet and my > users can only access that selected ports? > > > > > > Thanks > > > > > > > > My pf.conf: > > > > set loginterface xl1 > > set skip on lo0 > > scrub in > > > > set require-order yes > > set state-policy if-bound > > > > altq on xl1 priq bandwidth 50Kb queue { q_pri, q_def } > > queue q_pri priority 7 > > queue q_def priority 1 priq(default) > > > > > > # interface externa WAN > > ext_if="xl1" > > # interface interna LAN > > int_if="xl0" > > # interface MPLS > > mpls_if ="bge0" > > #interfaces VPn tuneis > > vpn_if ="{ tun0, tun1, tun2, tun3, tun4 }" > > vpn_net ="{ 10.10.9.0/26 }" > > #Default GW > > gw="200.162.41.33" > > > > table <badsites> persist file "/etc/badsites.txt" > > winupdate = "{ 65.54.87.0/24 } " > > > > > > ############ > > # Variaveis > > ########## > > > > ################# > > #1 - Redirecionamento ambiente de homologocao > > ############### > > ws_ip = "{ 10.10.100.21 }" > > ws_ports = "{ 8101, 8102, 8103 }" > > > > #################################### > > #2- Variaveis uteis > > ################################ > > lan = "{ 10.10.0.0/16 }" > > cmt_lan = "{ 10.10.0.0/24 }" > > ti_lan = "{ 10.10.20.0/26 }" > > call_center_lan = "{ 10.10.60.0/26 }" > > rede_mpls = "{ 10.100.0.0/16 }" > > ip_admin = "{ 10.10.20.100 }" > > msn = "207.46.0.0/16" > > > > # portas > > > > portas_saida_tcp = " {25, 80, 110,443 }" > > portas_saida_udp = " { 53, 443 }" > > portas_entrada_tcp = " { 22,1981, 810} " > > portas_entrada_udp = " { 1194 }" > > ip_rose = " { 10.10.0.56 } " > > porta_rose = " { 2631 } " > > oracle_desenv = "{ 10.10.100.13, 10.10.100.14 }" > > ips_adm_ext = "{ 189.33.76.0/26 } " > > > > #teste internet lojas MPLS > > rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 3128 -> > $int_if port 3128 > > > > #redirect para servidor NTP > > rdr pass on $mpls_if inet proto udp from $rede_mpls to $mpls_if port 123 > -> 10.10.100.254 port 123 > > > > #redirect para os servidores do DTC enviarem email pelo sol > > rdr pass on $mpls_if inet proto tcp from $rede_mpls to $mpls_if port 25 > -> 10.10.0.2 port 25 > > nat on $int_if from any to 10.10.0.2 -> $int_if > > > > > > # squid trasparente > > rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if > port 3128 > > > > rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1521 -> > 10.10.100.13 port 1521 > > rdr pass on $mpls_if inet proto tcp from any to $mpls_if port 1522 -> > 10.10.100.14 port 1521 > > nat on $int_if from any to $oracle_desenv port 1521 -> $int_if > > > > > > # redirecionamento para lan, foi necessario fazer nat tb. > > rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports -> > $ws_ip > > nat on $int_if from any to $ws_ip -> $int_if > > > > > > ################# > > ##### NAT ###### > > ################# > > > > #nat para dar acesso a internet para a lan > > nat on $ext_if from $lan to !($ext_if) -> $ext_if > > nat on $mpls_if from $lan to any -> $mpls_if > > > > > > # bloqueia a entrada de tudo e saida de tudo > > block in on $ext_if > > > > #regras de entrada > > > > # libera entrada de tudo na interface interna > > pass in on $int_if proto udp from $lan to $int_if port 53 > > pass in on $int_if from any to $lan modulate state > > pass in on $int_if from $rede_mpls to $lan modulate state > > > > #liberar acesso rede mpls > > pass in quick on $mpls_if from any to any > > #pass in quick on $mpls_if from $rede_mpls to any > > > > # libera a entrada na interface externa > > pass in quick on $ext_if proto tcp from any to $ext_if port > $portas_entrada_tcp keep state > > pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports > keep state > > pass in quick on $ext_if proto udp from any to $ext_if port > $portas_entrada_udp keep state > > pass in quick on $ext_if proto tcp from any to $int_if port 443 flags > S/SAFR keep state (max 256) > > > > #VPN > > pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 > modulate state > > pass in quick on $ext_if proto gre from any to $ext_if keep state > > pass out quick on $ext_if proto gre from $ext_if to any keep state > > pass in quick on $vpn_if all > > pass out quick on $vpn_if all > > > > pass in quick on $int_if from $vpn_net to any modulate state > > pass in quick on $mpls_if from $vpn_net to any modulate state > > > > > > # regras de saida > > antispoof quick for { lo $int_if } > > pass out on $int_if from any to $lan keep state > > pass out on $mpls_if from $mpls_if to any modulate state > > ##### > > # proibe todo o trafego de saida > > block out on $ext_if > > #pass out on $ext_if from $ext_if to any modulate state > > > > pass out quick on $ext_if proto tcp from any to any port > $portas_saida_tcp modulate state queue (q_def, q_pri) > > pass out quick on $ext_if proto tcp from $ip_rose port 1024:65535 to > 200.201.174.0/24 port { 80, 2631 } modulate state > > > > #libera acesso total para os administradores > > #pass out on $ext_if from $ip_admin to any modulate state > > > > pass out on $ext_if proto tcp from $ext_if to any modulate state flags > S/SA > > pass out on $ext_if proto { udp, icmp } all keep state > > > > # block msn > > pass out quick inet proto tcp from $ip_admin to $msn port { 80, 1863 } > > block out quick proto tcp from any to $msn port { 80, 1863 } > > #block acesso a estes sites > > block out on $ext_if from any to <badsites> > > block out on $ext_if from any to $winupdate -- Charlie Clark
