Hey there,
i am a heavy pfsense user and i thought why not spend a little
"free-time" and learn more about "pf" itself. :)
So i got myself a copy of the 3rd edition of "The book of Pf" and
started to work with it.
I created my first rules to the point where pf can already act as an
internet gateway for a few subnets on my local network.
Even though it works fine i have a question on how to achieve a certain
configuration to which i am used to.
The problem is surely on my side so please bear with me if my question
sounds naive or stupid. (which it surely will^^)
Let me show you my current ruleset first:
1.) block all
2.) set skip on lo
3.) match out on egress inet from $int_net nat-to egress
4.) pass in on $int_if from $int_net to *any*
5.) pass out on $ext_if from $ext_if to any
As far as i know, in order to grant my client machines in the local
network access to the internet the keyword*"any"* in rule 4.) is
neccessary for obvious reasons. But of course "any" would imply all
other interfaces to where i maybe want to restrict accessx to.
My understanding was, i would just grant my clients access to the WAN
interface (or the egress interface) so that they can surf the web etc.
but at the same time are locked out to access other interfaces, until i
create rules for it, thats the kind of configuration i am probably used
to, due to my pfsense background.
My question therefor is, how can i achieve a similar configuration with
"pf" or maybe i am just interested what the best/common practice for
that scenario is.
Can, i for example combine *any *with != so that traffic destined for
the internet passes but at the same time traffic destined to vlans
(!=vlan100 .... 400) or physical networks does not?
The other approach would probaly be leave rule 4.) untouched and
restrict the "any" later with block rules (e.g block in from $int_net to
"{ vlan100, vlan200 ...}" because afaik with pf the last rule that fits
the criteria, wins (until i use quick)
Thank you in advance for any help you are willing to provide. Progress
comes slowly with me ^^
Regards
Dennis
