Hi, Please keep this on the list.
On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote: > Hi thank you, I will try to change my rules accordingly. Also some questions: > 1. I saw you talked about the block all rule. Does this cover traffic between > vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as > my admin network which is em2 interface in this case. Unless you have explicitly excluded interfaces from filtering (set skip on $interface) "block drop log all" will drop packets that do not match any pass rules following. > 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 > won’t get out either from my internal networks. Literally nothing from > internal networks gets out except icmpv4 to gateway, icmp from internal lan > to internal lan, icmp from internal lan to firewall itself. Other than that > there’s no DNS, HTTP, etc getting out. Would I need additional rules for > those explicitly or would I just need a pass out all rule that done a certain > way could work?(I have also tried this and it still doesn’t work)? Please take a look at the resources I pointed to. The tutorial slides will clear up most of if not all of those questions. And please keep any followups on the list. All the best, Peter PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.