Hello,
I have the following network configuration:
$ext_if -- wired interface, connected to my ISP's network, with a real
IP address, visible from the Intertubes.
$int_if -- wired interface, to which comps on my home LAN are connected
$wifi_if -- wifi interface, working in host ap mode, free-for-all
I've set up two NATs so that comps on $int_if:network and
$wifi_if:network could access the Intertubes.
Now I want the following:
so that comps from $int_if:network could access $wifi_if:network (say,
ssh to comps over there) but not vice versa.
How do I do this?
Everything I try either ends up blocking all traffic or allowing
traffic both initiated from $int_if:network to $wifi_if:network and
vice versa in a strange way: only every second response gets to
destination, i.e. I see ping like:
seq_num: 2
seq_num: 4
...etc
Here's my current config file (with many failed attempts commented out),
system is 4.5:
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if='fxp0'
int_if='sis0'
wifi_if='ral0'
# Limit speed on wifi_if to 2 megabits
#altq on $wifi_if cbq bandwidth 2Mb queue std
#queue std bandwidth 100% cbq(default)
# block return in all
# block return out all
set require-order no
set skip on lo
scrub in
# NAT
nat on $ext_if from $int_if:network to any -> $ext_if
nat on $ext_if from $wifi_if:network to any -> $ext_if
# NAT/filter rules and anchors for ftp-proxy(8)
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
#anchor "ftp-proxy/*"
#pass out proto tcp from $proxy to any port ftp
# Filter for $ext_if
block return in on $ext_if
pass in on $ext_if proto tcp from any to any port { www, 222 }
# Filter for $wifi_if
#block return in on $wifi_if
#pass in quick on $wifi_if from any to $wifi_if:network
#pass in on $wifi_if from $wifi_if:network to { ! $wifi_if, ! $int_if:network }
#pass in quick on $wifi_if from $int_if:network to any
#block return in on $int_if from $wifi_if:network to any
#block return in on $wifi_if from any to { $wifi_if, $int_if:network }
antispoof log quick for $ext_if
antispoof log quick for $int_if
antispoof log quick for $wifi_if
