Hello Jason, Thank you for assisting me getting this together..
I do understand that translation happens before filtering (at least think i do), what I dont understand is why the filtering is done with "pass in" if traffic is actually going from within the int_if2 network to the outside? Where is the traffic actually going "in"? > pass in on $int_if2 inet proto udp from $int_if2:network to any \ > port 53 Thank you. Andres On Sun, Jul 26, 2009 at 6:36 PM, Jason Dixon<ja...@dixongroup.net> wrote: > On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote: >> Hello Jason, >> >> I understood the purpose of allowing internet access for the firewall >> itself. However this is exactly where Iam still stuck. >> >> By doing this after our default block all: >> >> pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \ >> port { 53 80 22 443 } >> >> Iam actually allowing it for both $int_if and $int_if2 , thus the following >> port restriction rules are not getting evaluated. > > In an effort to simplify your ruleset I was guilty of forgetting that > translation happens before filtering. Here is a new version that > filters on the internal interfaces. Let me know if you have any > questions. > > > ext_if = "re1" > int_if = "re0" > int_if2 = "re2" > > set skip on lo > > scrub in > > nat on $ext_if inet proto { tcp udp } from $int_if:network to any \ > -> ($ext_if) > nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \ > -> ($ext_if) > > block all > pass out on $ext_if > > pass in on $int_if inet proto tcp from $int_if:network to any \ > port { 53 80 } > pass in on $int_if inet proto udp from $int_if:network to any \ > port 53 > pass in on $int_if2 inet proto tcp from $int_if2:network to any \ > port { 22 53 80 443 } > pass in on $int_if2 inet proto udp from $int_if2:network to any \ > port 53 > > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net/