Help with simple pf, how to let traffic out from the firewall ?

Tue, 27 Oct 2009 09:17:55 -0700 

Hello,

I have this very simple pf.conf . However Iam unable to specify that
the firewall itself should have unrestricted access, the port
blockings should only apply to the users on the LAN. What is the best
way to accomplish this? Ive tried tagging 127.0.0.1 to be unrestricted
but that didn't work. I also tried adding a pass quick on $t_externa
but this just lets anything from anybody pass out.



# cat /etc/pf.conf
t_externa = "re0"
t_interna = "re1"

ssh_users = "{ 67.199.62.74 }"
no_restriction_users = "{ 172.16.2.5 }"

set block-policy return
set loginterface $t_externa
set limit states 10000
set limit frags 30000
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id

# Perform NAT for $t_interna to access $t_externa
nat on re0 from re1:network to any -> re0


block all

antispoof quick for { lo }

################## Added for $t_interna to reach the internet #################
pass on $t_interna inet proto { tcp } from $no_restriction_users to
any tag NO_RESTRICTION_USERS
pass quick on $t_interna
###############################################################################

####################PERMIT DNS:53 CONNECTIONS OUT (UDP,TCP)
############################
pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \
     port 53 keep state
#######################################################################################

################## PERMIT ALL CONNECTIONS OUT SELECTIVE USERS
####################
pass out quick on $t_externa proto { tcp udp }  to any tagged \
        NO_RESTRICTION_USERS keep state
###############################################################################

#################### PERMIT SQUID PROXY(3128) CONNECTIONS OUT ##################

pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
    port { 80 443 } flags S/SA modulate state

################ PERMIT ICMP TRAFFIC FOR NETWORK DEBUGGING #####################
pass inet proto icmp all icmp-type { echoreq, unreach } keep state
################################################################################



--Matt

Reply via email to