On Mon, Feb 23, 2009 at 8:47 PM, johan beisser <[email protected]> wrote:
> On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote:
>> /etc/pf.conf
>> 01 ext_if = "sk0"
>> 02 int_if = "sk1"
>> 03 localnet = $int_if:network
>> 04 internet = $ext_if:network
>> 05 udp_services = "{ domain, ntp }"
>> 06 icmp_types = "{ echoreq, unreach }"
>> 07
>> 08 nat log on $ext_if from $localnet to any -> ($ext_if)
>> 09
>> 10 block log all
>> 11
>> 12 pass quick inet proto { tcp, udp } from $internet to any port
>> $udp_services
>> 13 pass quick inet proto { tcp, udp } from $localnet to any port
>> $udp_services
>> 14 pass quick inet proto { tcp, udp } from $lo0:network to any port
>> $udp_services
>> 15
>> 16 pass inet proto icmp all icmp-type $icmp_types
>> 17 pass from { lo0, $localnet } to any keep state
>> a. Why do I need 12? I had expected 13 (which I don't seem to need).
>> Wouldn't 12 be for incoming requests from the Internet?
> I make no claims this works or will work for you. It's a simple rewrite of
> what you claimed to want (NAT for outbound traffic, for example).
>
> ext_if="sk0"
> int_if="sk1"
> udp_services="{ domain, ntp}"
>
> set skip on lo
> set block-policy return
> scrub in
>
> nat on $ext_if from $int_if:network to any ->($ext_if)
> block log
>
> pass out quick from $int_if to $int_if:network
> pass out quick from $ext_if to any
>
> pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port
> $udp_services
I don't think he wants any inbound traffic. Note his first questions
labeled "a."
> pass in quick on $int_if from $int_if:network to any
why all the "quick" stuff? This is supposed to be a very simple set
up. Granted we don't exactly understand what the OP wants to do, but
from what I gather, he most likely wants to allow all outbound traffic
with NAT and everything else gets blocked and logged.
so something to the effect of:
set skip on lo
scrub in
nat stuff here ...
block log
pass on $int_if ... blah blah blah
--patrick
