I created a very very simple set of PF rules to try and get my idea for a simplified home network setup. I have some what of a question on this posted in another thread but it became a bit off topic and this is a little more specific. Ive created a very simple set of rules in PF for NAT and some redirecting and before I put this together would like some opinions/suggestions. This is not meant to be a secure set up as of yet although I would love some suggestions to help secure it without breaking it with my limited knowledge.
Code:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="re0" # The external interface to internet
int_if="rl0" # The internal interface to Linksys wrt54gl
#external_addr="192.168.42.5" # My external address is DHCP so this doesnt do me any good?
webserver="10.1.10.10" #jailed in host
ftpserver="10.1.10.11" #jailed in host
webports="{80, 8080, 443, 22}"
ftpports="21, 22"
internal_ports="{55, 88}" #just entered some arbitrary numbers that will be forwarded to linksys to be changed later.
#Options
set block-policy return
set loginterface $ext_if
set skip on lo
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
rdr on $ext_if proto tcp from any to ($ext_if) port $webports -> $webserver
rdr on $ext_if proto tcp from any to ($ext_if) port $ftpports -> $ftpserver
# Make sure we don't block any traffic to test setup.
# Rules
pass in all
pass out all
My goal is to allow anything coming from my int_if out to the internet and have few ports allowed to connect to it. I also eventually I want to start blocking what is allowed from int_if to my firewall but i dont have that figured out yet.
I also eventually want to limit what is allowed in and out of the jails. does this look like something that would work or are my rules very bad?