Thank you for the help, I believe that I already tried something similar and
could not access the internet behind $int_if, ot $int_if2. Traffic is
getting blocked by "block all" as per the following pflog1:
Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533 >
190.40.3.10.53: 22454+[|domain] (DF)
Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872 >
190.40.3.13.53: 37289+[|domain] (DF)
Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104 >
190.40.3.13.53: 14850+[|domain] (DF)
192.168.1.2 is the IP of the firewall itself in relationship to $ext_if.
Additionally I tried the following:
block all
pass out on $ext_if
pass out log on $ext_if inet proto tcp from $int_if:network to any \
port { 53 80 }
pass out log on $ext_if inet proto udp from $int_if:network to any \
port 53
pass out log on $ext_if inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
pass out log on $ext_if inet proto udp from $int_if2:network to any \
port 53
However that way both $int_if and $int_if2 would have internet access but
the port restriction rulesets would not match.
I think there is some conflict with the rules and NAT, as the firewall once
the packets are NATed then it doesnt recognize the real source? Iam
confused.
Thank you
Andres
On Sun, Jul 26, 2009 at 1:16 AM, Jason Dixon <ja...@dixongroup.net> wrote:
> On Sun, Jul 26, 2009 at 12:58:08AM -0500, Andres Salazar wrote:
> > I apologize that my ruleset isnt very clear. Iam trying to put together a
> > ruleset that will allow the following access:
> >
> > Outbound port 80 (web) & 53 (domain) from users at $int_if via $ext_if
> > Outbound port 80 (web) & 53 (domain) & 443 (ssl) & 22 (ssh) from $int_if2
> > via $ext_if
>
> Here's a basic ruleset that meets your requirements. Hasn't been tested
> for syntax. Note that I make no effort to filter traffic between the
> two internal segments. This would require a different approach (no set
> skip on internal if's, pass in on the internal if's explicitly). There
> are also no "pass out" rules for traffic originating from the firewall
> itself, you'll probably want to add something for this.
>
>
> ext_if = "re1"
> int_if = "re0"
> int_if2 = "re2"
>
> set skip on { lo $int_if $int_if2 }
>
> scrub in
>
> nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
> -> ($ext_if)
> nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
> -> ($ext_if)
>
> block all
> pass out on $ext_if inet proto tcp from $int_if:network to any \
> port { 53 80 }
> pass out on $ext_if inet proto udp from $int_if:network to any \
> port 53
> pass out on $ext_if inet proto tcp from $int_if2:network to any \
> port { 22 53 80 443 }
> pass out on $ext_if inet proto udp from $int_if2:network to any \
> port 53
>
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
