Hello!
I've some trouble trying to harden my PF setup, probably related to some logic
that I still don't understand clearly.
Currently I'm allowing every outgoing packet originated from my LAN as showed
in different examples in the PF FAQ.
Now I want to be restrictive, i.e. to exclusively allow access to certain
destination ports originated from my $PC. I've tried different rules but can
get it to work, for example, how should I allow $PC to access remote HTTP
servers and forbid everything else ? I don't want my OpenBSD/PF machine access
any service, just my $PC access the HTTP port. This is just a mere example,
I'll add other services (DNS, etc) once I understand the logic behind this
configuration.
0 int_if = "ne3"
1 ext_if = "ne4"
2 pc = "192.168.1.2"
3 set loginterface $ext_if
4 set skip on $loop
5 set block-policy return
6 # SCRUB
7 scrub in all fragment reassemble min-ttl 15 max-mss 1400 no-df
8
9 # NAT && RDR
10 nat on $ext_if from $int_if:network to any -> ($ext_if)
11
12 # DENY && LOG EVERYTHING
13 block log all
14
15 # INBOUND/OUTBOUND: LAN <> PF
16 pass in quick on $int_if from $int_if:network to any keep state
17 pass out quick on $int_if from any to $int_if:network keep state
18
19 # ALLOW $PC ACCESS HTTP SERVICE
20 pass out on $ext_if from $PC to any port 80 keep state
Line (20) shouldn't be allowing to pass out http from $PC ? (16) allows access
from any local machine to PF, then as I understand (20) should allow the access
to
port 80 on the Internet from $PC, but (13) is blocking all.
| INTERNET
| $ext_if ne4
| Dynamic IP Address
|
----
| PF | 192.168.1.1
---- $int_if ne3
|
|
|
|
| ----
--------| PC | 192.168.1.2
----
Thanks in advance!
JC
