Many people who have to configure multiple NIC firewalls with pf have difficulties with understanding what according to pf is
in and
out.
Code:
/|\ |
out | | in
| |
| \|/
| |
+-----|-----------|-----+
| +-----------+ |
| | PPPoE | |
| +-----------+ |
| |
| +---+ +---+ |
out | | | | | | out
<------------| W | | |----------->
| | L | | L | |
| | A | | A | |
----->-------| N | | N |------<-----
in | | | | | | in
| +---+ +---+ |
| |
| OpenBSD |
| pf |
| |
+-----------------------+
It is also easier if you use the tag facilities that pf provides. With tags you can simplify your ruleset. Because today is my wedding anniversary the following is in pf pseudocode and only meant to get you started
- Internal traffic
- wireless lan ---> LAN
Code:
pass in quick on WLAN from WLAN:network to LAN:network tag LAN_OUT
pass out quick on LAN tagged LAN_OUT
- LAN --> Wireless LAN
Code:
pass in quick on LAN from LAN:network to WLAN:network tag WLAN_OUT
pass out quick on WLAN tagged WLAN_OUT
- Internal traffic ---> INTERNET
- WLAN --> internet
Code:
pass in quick on WLAN from WLAN:network to ! LAN:network, tag OUT_PPPOE
pass out quick on PPPOE tagged OUT_PPPOE
- LAN --> internet
Code:
pass in quick on LAN from LAN:network to ! WLAN:network tag OUT_PPPOE
Of course you will need some additional rules and refinements to allow the DCHP and SSH traffic from/to the OpenBSD pf box itself.