Help with simple pf, how to let traffic out from the firewall ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with simple pf, how to let traffic out from the firewall ?

Matthew Young-9
Hello,

I have this very simple pf.conf . However Iam unable to specify that
the firewall itself should have unrestricted access, the port
blockings should only apply to the users on the LAN. What is the best
way to accomplish this? Ive tried tagging 127.0.0.1 to be unrestricted
but that didn't work. I also tried adding a pass quick on $t_externa
but this just lets anything from anybody pass out.



# cat /etc/pf.conf
t_externa = "re0"
t_interna = "re1"

ssh_users = "{ 67.199.62.74 }"
no_restriction_users = "{ 172.16.2.5 }"

set block-policy return
set loginterface $t_externa
set limit states 10000
set limit frags 30000
set skip on lo0
set debug urgent
scrub in on $t_externa all
scrub out on $t_externa all random-id

# Perform NAT for $t_interna to access $t_externa
nat on re0 from re1:network to any -> re0


block all

antispoof quick for { lo }

################## Added for $t_interna to reach the internet #################
pass on $t_interna inet proto { tcp } from $no_restriction_users to
any tag NO_RESTRICTION_USERS
pass quick on $t_interna
###############################################################################

####################PERMIT DNS:53 CONNECTIONS OUT (UDP,TCP)
############################
pass out quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \
     port 53 keep state
#######################################################################################

################## PERMIT ALL CONNECTIONS OUT SELECTIVE USERS
####################
pass out quick on $t_externa proto { tcp udp }  to any tagged \
        NO_RESTRICTION_USERS keep state
###############################################################################

#################### PERMIT SQUID PROXY(3128) CONNECTIONS OUT ##################

pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \
    port { 80 443 } flags S/SA modulate state

################ PERMIT ICMP TRAFFIC FOR NETWORK DEBUGGING #####################
pass inet proto icmp all icmp-type { echoreq, unreach } keep state
################################################################################



--Matt

Reply | Threaded
Open this post in threaded view
|

Re: Help with simple pf, how to let traffic out from the firewall ?

Maxime DERCHE-3
On Tue, 27 Oct 2009 11:05:05 -0500
Matthew Young <[hidden email]> wrote:

> Hello,
>
> I have this very simple pf.conf . However Iam unable to specify that
> the firewall itself should have unrestricted access, the port
> blockings should only apply to the users on the LAN. What is the best
> way to accomplish this? Ive tried tagging 127.0.0.1 to be unrestricted
> but that didn't work. I also tried adding a pass quick on $t_externa
> but this just lets anything from anybody pass out.

Maybe something like

pass out quick on $t_externa from ($t_externa)

would do the job (this is actually what I'm using for my humble home
gateway, see
<http://www.mouet-mouet.net/doku.php?id=mouet-mouet:routeur#script_de_configuration_pf>).


Regards,
Maxime

--
Maxime DERCHE
GnuPG public key ID : 0x9A85C4C0
(fingerprint : 0FDC 16AF 5A5B 1908 786C  2B85 2D3C C83E 9A85 C4C0)
http://www.mouet-mouet.net/maxime/blog/index.php