Hi,
I have a problem regarding my pf ruleset.
My network setup looks as following:
Code:
Internet
^
|
if_wan [pppoe0]
|
v
(client1..n) <-- if_wlan --> bsd-router <-- if_lan --> (clientn+1..m)
As you can see, I've got two internal interfaces: wlan and lan.
I'd like to achieve the following state:
1a. if_lan can connect to the wlan-clients through if_wlan
1b. if_lan can connect to the sshd on the bsd-router
1c. if_lan can connect to the internet through if_wan
2a. if_wlan can connect to the dhcpd on the bsd-router
2b. if_wlan can connect to the internet
Short:
if_lan -> if_wan, if_wlan, bsd-router:ssh
if_wlan -> if_wan, bsd-router:dhcp
Coming from the iptables world, my current approach seems a little odd to me – although
it seems to work out just fine. Anyways, the relevant lines are:
Code:
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
I assumed to state rules just like:
Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan) # allow if_lan -> internet
pass in quick on $if_lan from $if_lan:network to $if_wlan:network # allow if_lan ->
if_wlan
pass in quick on $if_lan from $if_lan:network to $if_lan port ssh
Those lines I expected to work prevent me from connecting to the internet... Note: I also tried using "(egress)" instead of "($if_wan)".
(I wanted to post a link to the entire ruleset but unfortunately I can't because I need to have at least five posts. Instead I'll just post it here, sorry)
The whole ruleset:
Code:
# interfaces
if_lan="vr0"
if_wan="pppoe0"
if_wlan="vr2"
if_wan_bandwith="1400Kb"
# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
# |-- SIP --| |ICQ| | Jabber | |-- Playstation Net --|
que_int_ports_tcp = "{ ssh, 5060, 5061, 5190, 5222, 5223, irc, 3478, 3479, 3480, 5223 }"
# |-- SIP --| |-- PSN --|
que_int_ports_udp = "{ 5060, 5061, 3478, 3479 }"
# options
##############
# allow lo communication
set skip on lo
set block-policy drop
# hygiene
##############
# scrubbing
match in all scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match on $if_wan scrub (max-mss 1440)
# qos
###############
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }
queue que_low priq(default) qlimit 80
queue que_def priority 2
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6
# nat
###############
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port
# filtering
###############
# block all packets
block all
# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }
# reject ipv6
block quick on $if_wan inet6 all
# block private addresses on external interfaces
block drop in quick on $if_wan from <private_nets>
block drop out quick on $if_wan to <private_nets>
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
# enable input
# lan:network -> lan:ssh
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
Thanks for any suggestions.
Sören