On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote: > Hello Jason, > > I understood the purpose of allowing internet access for the firewall > itself. However this is exactly where Iam still stuck. > > By doing this after our default block all: > > pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \ > port { 53 80 22 443 } > > Iam actually allowing it for both $int_if and $int_if2 , thus the following > port restriction rules are not getting evaluated.
In an effort to simplify your ruleset I was guilty of forgetting that translation happens before filtering. Here is a new version that filters on the internal interfaces. Let me know if you have any questions. ext_if = "re1" int_if = "re0" int_if2 = "re2" set skip on lo scrub in nat on $ext_if inet proto { tcp udp } from $int_if:network to any \ -> ($ext_if) nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \ -> ($ext_if) block all pass out on $ext_if pass in on $int_if inet proto tcp from $int_if:network to any \ port { 53 80 } pass in on $int_if inet proto udp from $int_if:network to any \ port 53 pass in on $int_if2 inet proto tcp from $int_if2:network to any \ port { 22 53 80 443 } pass in on $int_if2 inet proto udp from $int_if2:network to any \ port 53 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/