I had this working in 4.6 and earlier, and I feel I'm missing something really silly but I'm stumped. I have three interfaces on my firewall/gateway. I have a public AP on the third NIC, and as such want to block traffic going to the internal network from there. int_if and pubwi_if are on separate private subnets (192.168.1.x and 2.x respectively).
Code:
ext_if = "fxp0"
int_if = "xl0"
pubwi_if = "xl1"
set skip on { lo enc0 }
match in all scrub (no-df)
match out on $ext_if from !$ext_if nat-to $ext_if
block in on $ext_if all
pass out on $ext_if all
# Block public wi-fi traffic from internal net
block in quick on $int_if proto { tcp, udp } from $pubwi_if:network to $int_if:network
pass in log on $ext_if inet proto tcp from any to $ext_if port ssh label "ssh"
pass in inet proto icmp all icmp-type echoreq
Yet I can ping through and browse SMB shares while connected to the public AP. Whad I miss?