pf question

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

pf question

After getting pf working with a "block in all" rule,
I am now trying to add a rule to allow local and internet access to my webserver.

I have been able to access the web server from a computer on a subnet,
I copied a rule from the OpenBSD pf faq which would seem to accomplish this,
(see ruleset below) but nothing comes back even to my browser running on the
same computer.

What pf rule(s) do I have to change/add to permit my browser and others on the
internet to access the web server?

Dave Feustel
===========current pf ruleset================
ext_if = "xl0"
#ext_ad = ""
ext_ad = "(xl0)"
web_server = "(xl0)"
pr1 = ""
pr2 = ""
pr3 = ""
pr4 = ""
nat_proto = "{tcp, udp, icmp}"

# options

set require-order yes
set block-policy drop
set optimization normal
set loginterface none

# scrubbing

scrub in all
scrub out all

# nat rules

nat on $ext_if inet proto $nat_proto \
        from {$pr1, $pr2, $pr3, $pr4} to any -> $ext_ad

# filtering

pass in quick on sis1

block in log all

pass in on $ext_if proto tcp to $web_server \
        port www flags S/SA keep state \
        (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

pass out log quick on $ext_if inet \
        from ($ext_if) to any flags S/SA keep state

antispoof for $ext_if