On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
> Hello,
>
> I have the following network configuration:
>
> $ext_if -- wired interface, connected to my ISP's network, with a real
> IP address, visible from the Intertubes.
>
> $int_if -- wired interface, to which comps on my home LAN are connected
>
> $wifi_if -- wifi interface, working in host ap mode, free-for-all
>
> I've set up two NATs so that comps on $int_if:network and
> $wifi_if:network could access the Intertubes.
>
> Now I want the following:
> so that comps from $int_if:network could access $wifi_if:network (say,
> ssh to comps over there) but not vice versa.
>
> How do I do this?
>
> Everything I try either ends up blocking all traffic or allowing
> traffic both initiated from $int_if:network to $wifi_if:network and
> vice versa in a strange way: only every second response gets to
> destination, i.e. I see ping like:
> seq_num: 2
> seq_num: 4
> ...etc
>
> Here's my current config file (with many failed attempts commented out),
> system is 4.5:
>
> #
> # See pf.conf(5) for syntax and examples; this sample ruleset uses
> # require-order to permit mixing of NAT/RDR and filter rules.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if='fxp0'
> int_if='sis0'
> wifi_if='ral0'
>
> # Limit speed on wifi_if to 2 megabits
> #altq on $wifi_if cbq bandwidth 2Mb queue std
> #queue std bandwidth 100% cbq(default)
>
> # block return in all
> # block return out all
>
> set require-order no
>
> set skip on lo
> scrub in
>
> # NAT
> nat on $ext_if from $int_if:network to any -> $ext_if
> nat on $ext_if from $wifi_if:network to any -> $ext_if
>
> # NAT/filter rules and anchors for ftp-proxy(8)
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
> #anchor "ftp-proxy/*"
> #pass out proto tcp from $proxy to any port ftp
>
> # Filter for $ext_if
> block return in on $ext_if
> pass in on $ext_if proto tcp from any to any port { www, 222 }
this is unnecessarily broad. to $ext_if would be adequate.
To do what you want to do, I'd write something like the following:
set block-policy return
antispoof quick for { $int_if, $wifi_if, $ext_if }
block all
pass out on $ext_if
pass out on $wifi_if proto tcp from $int_if:network to $wifi_if:network port ssh
pass in on $ext_if proto tcp to $ext_if port { www, 222 }
pass in on $int_if
pass in on $wifi_if
