Hello, I have this very simple pf.conf . However Iam unable to specify that the firewall itself should have unrestricted access, the port blockings should only apply to the users on the LAN. What is the best way to accomplish this? Ive tried tagging 127.0.0.1 to be unrestricted but that didn't work. I also tried adding a pass quick on $t_externa but this just lets anything from anybody pass out.
# cat /etc/pf.conf t_externa = "re0" t_interna = "re1" ssh_users = "{ 67.199.62.74 }" no_restriction_users = "{ 172.16.2.5 }" set block-policy return set loginterface $t_externa set limit states 10000 set limit frags 30000 set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id # Perform NAT for $t_interna to access $t_externa nat on re0 from re1:network to any -> re0 block all antispoof quick for { lo } ################## Added for $t_interna to reach the internet ################# pass on $t_interna inet proto { tcp } from $no_restriction_users to any tag NO_RESTRICTION_USERS pass quick on $t_interna ############################################################################### ####################PERMIT DNS:53 CONNECTIONS OUT (UDP,TCP) ############################ pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ####################################################################################### ################## PERMIT ALL CONNECTIONS OUT SELECTIVE USERS #################### pass out quick on $t_externa proto { tcp udp } to any tagged \ NO_RESTRICTION_USERS keep state ############################################################################### #################### PERMIT SQUID PROXY(3128) CONNECTIONS OUT ################## pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port { 80 443 } flags S/SA modulate state ################ PERMIT ICMP TRAFFIC FOR NETWORK DEBUGGING ##################### pass inet proto icmp all icmp-type { echoreq, unreach } keep state ################################################################################ --Matt