block specific Lan IP from internet

[bsdsource]

I would like to block a specific IP address (10.200.200.109) on my Lan from inbound and outbound traffic to the internet. All my Lan computers still need to be able to access that computer and vice versa since it's my NAS. Here is my current pf.conf:

Code:

#*************************
# macros
#*************************
wan="em0"
lan="em1"
nas="10.200.200.109"
ps4="10.200.200.110"
xbox="10.200.200.114"

#*************************
# table
#*************************
table <private_ips> const { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 }

#*************************
# options
#*************************
set reassemble yes
set optimization normal
set limit states 395000
set limit src-nodes 395000
set block-policy drop
set loginterface $wan
set skip on lo0

#********************************************
# traffic normalization
#********************************************
match in all scrub (no-df random-id max-mss 1440)

#****************************
# network address translation
#****************************
match out on $wan inet from $ps4 to any nat-to ($wan:0) static-port
match out on $wan inet from $xbox to any nat-to ($wan:0) static-port
match out on $wan inet from $lan:network to any nat-to ($wan:0) port 1024:65535

#*****************************
# block spoofed or forged IP's
#*****************************
antispoof quick for ($wan)

#*****************************
# block non-routable addresses
#*****************************
block in quick on $wan from no-route to any
block out quick on $wan from any to no-route

#**************************************
# check unicast reverse path forwarding
#**************************************
block in quick on $wan from urpf-failed to any

#*********************************************
# block private address blocks outside network
#*********************************************
block in quick on $wan from <private_ips> to any

#********************
# block IPv6 traffic
#********************
block quick inet6 all

#********************
# block everything
#********************
block inet all

#**********************************
# allow traffic out to the Internet
#**********************************
pass out inet allow-opts

#*****************************************
# port forward xbox one ports for open nat
#*****************************************
pass in quick on $wan proto udp from any port 3544 to ($wan) port 3074 rdr-to $xbox port 3074
pass in quick on $wan proto {tcp,udp} from any port 3075 to ($wan) port 3075 rdr-to $xbox port 3075

#*****************************************
# port forward ps4 ports for open nat
#*****************************************
pass in quick on $wan proto {tcp,udp} from any port 3478 to ($wan) port 3478 rdr-to $ps4
pass in quick on $wan proto {tcp,udp} from any port 3479 to ($wan) port 3479 rdr-to $ps4
pass in quick on $wan proto tcp from any port 3480 to ($wan) port 3480 rdr-to $ps4

#*****************************************
# allow ping (for console purposes)
#*****************************************
pass in quick inet proto icmp all icmp-type echoreq

#***************************************
# allow all internal lan traffic to pass
#***************************************
pass in on $lan inet

[jggimi]

You have a blend of rules with the "quick" option, and rules without it. Because of this complication, I recommend adding new "quick" rules relatively early in your rule set, perhaps before any other quick rules, as your redirects are less specific than this example below.

Keep in mind that you can get tangled up with "in" "out" and "on" when trying to match traffic, or ... trying NOT to match traffic. And as well, the blend of quick and standard rules can sometimes be difficult to manage.

Code:

block quick on $wan from any to 10.200.200.109
block quick on $wan from 10.200.200.109 to any

[bsdsource]

Thanks jggimi. I had to put the rules you provided before my match out rules otherwise it wouldn't work. Internet is restricted but LAN traffic works as intended.