FreeBSD 9.1-STABLE - pf rule being ignored

Jason Hellenthal jhellenthal at dataix.net
Fri Nov 8 14:08:31 UTC 2013 

Should say too  . . . don't forget to either skip on lo0 or pass on lo0

> On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellenthal at dataix.net> wrote:
> 
> Curious if your line breaks are correct ? Your block and pass rule appear to be on the same line.
> 
> This should do it . . . 
> 
> block in all
> block return in quick from !$internal_ip to $external_ip
> pass out all keep state
> 
> 
> But if you already have a block all rul there is no need for the second as your already blocking all traffic so I might suggest this not mowing your topology.
> 
> I also would not suggest "return" for non internal traffic except for specific targeted services that it might affect.
> . . . 
> :BEGIN
> 
> spoof on lo0
> spoof on $ext_if
> 
> block all
> pass out quick from $me
> pass in quick from $int to $me
> 
> :END 
> 
> And that should accomplish what you are trying to do IIUC.
> 
> You can use pftop to verify packets on hit rules.
> 
>> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vasadi at gmail.com> wrote:
>> 
>> Hi all,
>> 
>> I have a 9.1-STABLE r251615 acting as a firewall.
>> 
>> The rules:
>> block in all pass out all keep state [...] block return from !$internal_ip
>> to $external_ip
>> 
>> 
>> 
>> What I want is to block all the network except $internal to from accessing
>> $external_ip. For some reason, the above rule simply does not work.
>> However, the below does work and block everyone except $internal_ip:
>> 
>> block return from $internal_net/24 to $external_ip pass from $internal_ip
>> to $external_ip
>> 
>> 
>> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it
>> should work like in the first example.
>> 
>> PS: Yes, I can see the rule with pfctl -sr and it does translate properly.
>> 
>> -- 
>> Best regards,
>> Claudiu Vasadi
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20131108/825020bf/attachment.bin>

More information about the freebsd-pf mailing list