FreeBSD 9.1-STABLE - pf rule being ignored
Jason Hellenthal
jhellenthal at dataix.net
Fri Nov 8 14:05:56 UTC 2013
Curious if your line breaks are correct ? Your block and pass rule appear to be on the same line.
This should do it . . .
block in all
block return in quick from !$internal_ip to $external_ip
pass out all keep state
But if you already have a block all rul there is no need for the second as your already blocking all traffic so I might suggest this not mowing your topology.
I also would not suggest "return" for non internal traffic except for specific targeted services that it might affect.
. . .
:BEGIN
spoof on lo0
spoof on $ext_if
block all
pass out quick from $me
pass in quick from $int to $me
:END
And that should accomplish what you are trying to do IIUC.
You can use pftop to verify packets on hit rules.
> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vasadi at gmail.com> wrote:
>
> Hi all,
>
> I have a 9.1-STABLE r251615 acting as a firewall.
>
> The rules:
> block in all pass out all keep state [...] block return from !$internal_ip
> to $external_ip
>
>
>
> What I want is to block all the network except $internal to from accessing
> $external_ip. For some reason, the above rule simply does not work.
> However, the below does work and block everyone except $internal_ip:
>
> block return from $internal_net/24 to $external_ip pass from $internal_ip
> to $external_ip
>
>
> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it
> should work like in the first example.
>
> PS: Yes, I can see the rule with pfctl -sr and it does translate properly.
>
> --
> Best regards,
> Claudiu Vasadi
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20131108/b65b993f/attachment.bin>
More information about the freebsd-pf
mailing list