Thread: PF: Two internal interfaces and routing
View Single Post
  #8   (View Single Post)  
Old 17th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default
Quote:
Originally Posted by capt_cosmo View Post
However, I am wondering why it was possible for you to connect to the internet from the lan and wlan interfaces while for me it was denied.
I only used the rules you shared above. Since you asked, I've gone back to the lab and using tcpdump(8) and pflog(8) I can see exactly what rules matched.

LAN traffic -- inbound, the highlighted rule below:
Code:
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
Outbound, this highlighted rule:
Code:
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
For your WLAN, it was these highlighted rules:
Code:
# wlan -> pppoe
block in log quick on $if_wlan to $if_lan:network  
block in log quick on $if_wlan to $if_wlan:network
pass in quick on $if_wlan from $if_wlan:network
pass out quick on $if_wlan from $if_lan:network
and...
Code:
# allow output for wan, fill queues
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)
Quote:
Is there a way to rewrite the excerpted rules without the two 'block' statements
You are in the minority of PF users, as you use quick for every rule. The majority of us use quick as an exception. The default is a "last matching rule wins" process, and that allows us to write our general rules at the top of the rule list, then get more specific as we descend it.

Your "cleanup" is a file fragment and I have not yet reviewed what you have done. As I've stated, you should not require "block quick" rules in among your various "pass quick rules, as you started with a standard block all rule.

Please note that you have several rules that PF did not apply to your ruleset. They could never match so PF ignored them: I've highlighted them below, the rules above them negate their ever being matched:
Code:
# lan -> {wlan, internet}
block in log quick on $if_lan to $if_lan
pass in quick on $if_lan from $if_lan:network to $if_wlan:network
pass in quick on $if_lan from $if_lan:network
 
# lan -> router:dhcp
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67
pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68
Reply With Quote