On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote:
> Hello Jason,
>
> I understood the purpose of allowing internet access for the firewall
> itself. However this is exactly where Iam still stuck.
>
> By doing this after our default block all:
>
> pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
> port { 53 80 22 443 }
>
> Iam actually allowing it for both $int_if and $int_if2 , thus the following
> port restriction rules are not getting evaluated.
In an effort to simplify your ruleset I was guilty of forgetting that
translation happens before filtering. Here is a new version that
filters on the internal interfaces. Let me know if you have any
questions.
ext_if = "re1"
int_if = "re0"
int_if2 = "re2"
set skip on lo
scrub in
nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
-> ($ext_if)
nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
-> ($ext_if)
block all
pass out on $ext_if
pass in on $int_if inet proto tcp from $int_if:network to any \
port { 53 80 }
pass in on $int_if inet proto udp from $int_if:network to any \
port 53
pass in on $int_if2 inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
pass in on $int_if2 inet proto udp from $int_if2:network to any \
port 53
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
