Thread: pf rules
View Single Post
  #3   (View Single Post)  
Old 29th July 2019
calanon calanon is offline
Port Guard
 
Join Date: Jul 2019
Posts: 38
Default

Quote:
Originally Posted by calanon View Post
I have the following rules.

Code:
### Packets from Internal Network ###

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass in on $intif proto tcp to $intif port $allowed_tcp_ports

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state

pass proto tcp to any port $allowed_tcp_ports
pass inet proto icmp all icmp-type $icmp_types keep state
What I want to achieve is this:

intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

What have I done wrong in my rules?
Sorry if that looks strange. Here is a better version:

client machine-10.10.10.5 {ssh} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

I am assuming now that the first 3 rules are probably not even required or?

I thought they were required to allow ssh to pass through $intif to $extif
Reply With Quote