Hello,
I have this very simple pf.conf . However Iam unable to specify that
the firewall itself should have unrestricted access, the port
blockings should only apply to the users on the LAN. What is the best
way to accomplish this? Ive tried tagging 127.0.0.1 to be unrestricted
but that didn't work. I also tried adding a pass quick on $t_externa
but this just lets anything from anybody pass out.
# cat /etc/pf.conf
t_externa = re0
t_interna = re1
ssh_users = { 67.199.62.74 }
no_restriction_users = { 172.16.2.5 }
set block-policy return
set loginterface $t_externa
set limit states 1
set limit frags 3
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id
# Perform NAT for $t_interna to access $t_externa
nat on re0 from re1:network to any - re0
block all
antispoof quick for { lo }
## Added for $t_interna to reach the internet #
pass on $t_interna inet proto { tcp } from $no_restriction_users to
any tag NO_RESTRICTION_USERS
pass quick on $t_interna
###
PERMIT DNS:53 CONNECTIONS OUT (UDP,TCP)
pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \
port 53 keep state
###
## PERMIT ALL CONNECTIONS OUT SELECTIVE USERS
pass out quick on $t_externa proto { tcp udp } to any tagged \
NO_RESTRICTION_USERS keep state
###
PERMIT SQUID PROXY(3128) CONNECTIONS OUT ##
pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
port { 80 443 } flags S/SA modulate state
PERMIT ICMP TRAFFIC FOR NETWORK DEBUGGING #
pass inet proto icmp all icmp-type { echoreq, unreach } keep state
--Matt
