Thread: pf rules
View Single Post
  #4   (View Single Post)  
Old 29th July 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,138

Because of the "last matching rule" logic, your PF ruleset should be ordered from the most general rule first to the most specific rule last.

Here's an example ruleset that might meet your use-case. The ICMP rule includes the inet directive, so that only IPv4 ICMP traffic is permitted to pass. The TCP rule does not require the inet directive, since it only matches traffic originating from a specific IPv4 subnet.
# block by default
block return log
# allow the preferred categories of IPv4 ICMP traffic:
pass log inet proto icmp icmp-type $icmp_types
# Allow the preferred types of IPv4 TCP traffic from the inner network:
pass log proto tcp from to any port { $allowed_tcp_ports }
Your use-case does not account for domain name resolution. If you want to add the ability for the inner network to reach one or more external nameservers, add a rule such as:
pass log proto { udp tcp } from to { $allowed_nameservers } port domain
Your use-case does not include traffic originating from the gateway itself.
Reply With Quote