Hello! I've some trouble trying to harden my PF setup, probably related to some logic that I still don't understand clearly.
Currently I'm allowing every outgoing packet originated from my LAN as showed in different examples in the PF FAQ. Now I want to be restrictive, i.e. to exclusively allow access to certain destination ports originated from my $PC. I've tried different rules but can get it to work, for example, how should I allow $PC to access remote HTTP servers and forbid everything else ? I don't want my OpenBSD/PF machine access any service, just my $PC access the HTTP port. This is just a mere example, I'll add other services (DNS, etc) once I understand the logic behind this configuration. 0 int_if = "ne3" 1 ext_if = "ne4" 2 pc = "192.168.1.2" 3 set loginterface $ext_if 4 set skip on $loop 5 set block-policy return 6 # SCRUB 7 scrub in all fragment reassemble min-ttl 15 max-mss 1400 no-df 8 9 # NAT && RDR 10 nat on $ext_if from $int_if:network to any -> ($ext_if) 11 12 # DENY && LOG EVERYTHING 13 block log all 14 15 # INBOUND/OUTBOUND: LAN <> PF 16 pass in quick on $int_if from $int_if:network to any keep state 17 pass out quick on $int_if from any to $int_if:network keep state 18 19 # ALLOW $PC ACCESS HTTP SERVICE 20 pass out on $ext_if from $PC to any port 80 keep state Line (20) shouldn't be allowing to pass out http from $PC ? (16) allows access from any local machine to PF, then as I understand (20) should allow the access to port 80 on the Internet from $PC, but (13) is blocking all. | INTERNET | $ext_if ne4 | Dynamic IP Address | ---- | PF | 192.168.1.1 ---- $int_if ne3 | | | | | ---- --------| PC | 192.168.1.2 ---- Thanks in advance! JC