If you don't want any PCs on the LAN to access your server but for udp
53 (will mean you can't even SSH into the box) why don't you add
something like:
pass in quick on $int_if proto udp from $int_if:network to $int_if \
port $int_udp keep state
block in quick on $int_if from any to $firewall_internal_ip
Surely that is a better solution?
Andrew
--- Björn Ketelaars <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I’m trying to setup a natting firewall in which the internal network
> (int_if:network) *only* has access to the internet and udp-port 53
> (domain) on the firewall. When I’m using pf.conf given beneath it is
> possible to access all servers on the firewall...
>
> If I track a package (say tcp port 22 to $int_if) on the inbound
> network
> I will get the following:
>
> 1.) block log all
>
> default block policy
>
> 2.) pass in on $int_if proto udp from $int_if:network to $int_if port
>
> $int_udp keep state
>
> package is not accepted on $int_if because of tcp-port 22
>
> 3.) pass in on $int_if from $int_if:network to !$int_if:network keep
> state
>
> package is still not accepted because of !$int_if:network (=any
> except
> the internal network).
>
> Unfortunately, in the real world this does not work and the package
> reaches its destination. Any suggestion?
>
> Kind regards,
>
> Björn
>
>
>
>
> # macros
> ext_if = "fxp0"
> int_if = "de0"
>
> ext_tcp = "{ ftp, ssh, smtp, https, imaps }"
> ext_icmp = "echoreq"
> int_udp = "{ domain }"
>
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub incoming packets
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> # setup a default block policy
> block log all
>
> # loopback interface (lo0)
> pass quick on lo0 all
>
> # external interface ($ext_if)
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp
>
> flags S/SA keep state
> pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type
> $ext_icmp keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> # internal interface ($int_if)
> pass in on $int_if proto udp from $int_if:network to $int_if port
> $int_udp keep state
> pass in on $int_if from $int_if:network to !$int_if:network keep
> state
> pass out on $int_if from any to $int_if:network keep state
>
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com
