On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote: > Hello OpenBSD-misc, > > I have a newbie question in pf that Ive been trying to debug on what would > be wrong with my ruleset. Iam trying to have the users that are on $int_if > only have ports 80 & 52 opened out, and users on $int_if be able to have > less restrictions and more ports out. So far I have something like this but > it isnt working:
Allow me to be the first to say "RTFAQ". > ext_if = "re1" > int_if = "re0" > int_if2 = "re2" > > > set skip on lo > > scrub in > > nat on re1 from re0:network to any -> re1 > nat on re1 from re2:network to any -> re1 > > block all > pass quick on $ext_if // I have added this so that the firewall itself has > full internet access > #pass in quick on $int_if Here you're blocking all by default (inbound and outbound on all interfaces), but then you immediately "pass quick" (outbound *and* inbound) on your external interface. Very wrong. > pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any > \ > port 53 keep state > > pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \ > port 80 keep state Here you're passing outbound on your external interface for DNS and http traffic. But a) you've already allowed everything on $ext_if so this is unnecessary, and b) you've never allowed any traffic from your internal interfaces. Honestly, I don't know *what* you're trying to accomplish because your description doesn't match anything in your ruleset. Perhaps you can describe again what you're trying to do and what the differences are supposed to be between $int_if and $int_if2. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/