On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote: > Hello, > > I have the following network configuration: > > $ext_if -- wired interface, connected to my ISP's network, with a real > IP address, visible from the Intertubes. > > $int_if -- wired interface, to which comps on my home LAN are connected > > $wifi_if -- wifi interface, working in host ap mode, free-for-all > > I've set up two NATs so that comps on $int_if:network and > $wifi_if:network could access the Intertubes. > > Now I want the following: > so that comps from $int_if:network could access $wifi_if:network (say, > ssh to comps over there) but not vice versa. > > How do I do this? > > Everything I try either ends up blocking all traffic or allowing > traffic both initiated from $int_if:network to $wifi_if:network and > vice versa in a strange way: only every second response gets to > destination, i.e. I see ping like: > seq_num: 2 > seq_num: 4 > ...etc > > Here's my current config file (with many failed attempts commented out), > system is 4.5: > > # > # See pf.conf(5) for syntax and examples; this sample ruleset uses > # require-order to permit mixing of NAT/RDR and filter rules. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if='fxp0' > int_if='sis0' > wifi_if='ral0' > > # Limit speed on wifi_if to 2 megabits > #altq on $wifi_if cbq bandwidth 2Mb queue std > #queue std bandwidth 100% cbq(default) > > # block return in all > # block return out all > > set require-order no > > set skip on lo > scrub in > > # NAT > nat on $ext_if from $int_if:network to any -> $ext_if > nat on $ext_if from $wifi_if:network to any -> $ext_if > > # NAT/filter rules and anchors for ftp-proxy(8) > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 > #anchor "ftp-proxy/*" > #pass out proto tcp from $proxy to any port ftp > > # Filter for $ext_if > block return in on $ext_if > pass in on $ext_if proto tcp from any to any port { www, 222 }
this is unnecessarily broad. to $ext_if would be adequate. To do what you want to do, I'd write something like the following: set block-policy return antispoof quick for { $int_if, $wifi_if, $ext_if } block all pass out on $ext_if pass out on $wifi_if proto tcp from $int_if:network to $wifi_if:network port ssh pass in on $ext_if proto tcp to $ext_if port { www, 222 } pass in on $int_if pass in on $wifi_if