View Single Post
  #5   (View Single Post)  
Old 17th October 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,817
Default

Here is a ruleset based on your graphic. Note that there is no "Internet" connection defined, nor is there any domain traffic permitted. What ICMP traffic is permitted is ping, only, and limited as you directed.
Code:
ops = "10.11/16"
dmz = "10.12/16"
mgt = "10.10/16"

# default block

block return log

# ssh:
# from ops to mgt
# from mgt to dmz

pass log proto tcp from $ops to $mgt port ssh
pass log proto tcp from $mgt to $dmz port ssh

# https:
# from dmz to mgt

pass log proto tcp from $dmz to $mgt port https

# ping:
# from ops to the address(es) defined for em0
# from mgt to dmz and ops

pass log proto icmp from $ops to em0 icmp-type echoreq
pass log proto icmp from $mgt to { $dmz $ops } icmp-type echoreq
Reply With Quote