On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote:
> Hello OpenBSD-misc,
>
> I have a newbie question in pf that Ive been trying to debug on what would
> be wrong with my ruleset. Iam trying to have the users that are on $int_if
> only have ports 80 & 52 opened out, and users on $int_if be able to have
> less restrictions and more ports out. So far I have something like this but
> it isnt working:
Allow me to be the first to say "RTFAQ".
> ext_if = "re1"
> int_if = "re0"
> int_if2 = "re2"
>
>
> set skip on lo
>
> scrub in
>
> nat on re1 from re0:network to any -> re1
> nat on re1 from re2:network to any -> re1
>
> block all
> pass quick on $ext_if // I have added this so that the firewall itself has
> full internet access
> #pass in quick on $int_if
Here you're blocking all by default (inbound and outbound on all
interfaces), but then you immediately "pass quick" (outbound *and*
inbound) on your external interface. Very wrong.
> pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any
> \
> port 53 keep state
>
> pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \
> port 80 keep state
Here you're passing outbound on your external interface for DNS and http
traffic. But a) you've already allowed everything on $ext_if so this is
unnecessary, and b) you've never allowed any traffic from your internal
interfaces.
Honestly, I don't know *what* you're trying to accomplish because your
description doesn't match anything in your ruleset. Perhaps you can
describe again what you're trying to do and what the differences are
supposed to be between $int_if and $int_if2.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
