|
|||
pf rules
I have the following rules.
Code:
### Packets from Internal Network ### pass in on $intif inet proto icmp all icmp-type $icmp_types keep state pass in on $intif proto tcp to $intif port $allowed_tcp_ports pass in on $extif inet proto icmp all icmp-type $icmp_types keep state pass proto tcp to any port $allowed_tcp_ports pass inet proto icmp all icmp-type $icmp_types keep state intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif. client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 } server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied What have I done wrong in my rules? |
|
|||
Quote:
client machine-10.10.10.5 {ssh} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 } server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied I am assuming now that the first 3 rules are probably not even required or? I thought they were required to allow ssh to pass through $intif to $extif |
|
||||
Because of the "last matching rule" logic, your PF ruleset should be ordered from the most general rule first to the most specific rule last.
Here's an example ruleset that might meet your use-case. The ICMP rule includes the inet directive, so that only IPv4 ICMP traffic is permitted to pass. The TCP rule does not require the inet directive, since it only matches traffic originating from a specific IPv4 subnet. Code:
# block by default block return log # # allow the preferred categories of IPv4 ICMP traffic: pass log inet proto icmp icmp-type $icmp_types # # Allow the preferred types of IPv4 TCP traffic from the inner network: pass log proto tcp from 10.10.10.0/24 to any port { $allowed_tcp_ports } Code:
pass log proto { udp tcp } from 10.10.10.0/24 to { $allowed_nameservers } port domain |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DOAS(1) rules | jjstorm | OpenBSD General | 8 | 11th April 2016 08:09 PM |
PF Rules for DoS | chazz | FreeBSD Security | 3 | 14th July 2009 09:35 PM |
Help with pf rules | TerranAce007 | OpenBSD General | 4 | 16th January 2009 10:14 PM |