Re: Learning how-to pf "right"

Wed, 13 May 2015 08:30:53 -0700 

Hi Ken,

thank you very much for explaining things a little bit more detailed.
I wasn`t aware of the fact that traffic has to pass two rules to reach its endpoint but after making a little drawing that illustrated how the packets flow it was pretty obvious. Funny thing is that this is exactly the kind of misunderstanding the book mentions early on and thanks to your explanation i now understand what it means. 

Thanks.

Dennis

Am 13.05.2015 um 15:29 schrieb Kenneth Gober:

On Tue, May 12, 2015 at 6:36 PM, Dennis Steinkamp 
<[email protected] <mailto:[email protected]>> wrote:


    As far as i know, in order to grant my client machines in the
    local network access to the internet the keyword*"any"* in rule
    4.) is neccessary for obvious reasons. But of course "any" would
    imply all other interfaces to where i maybe want to restrict
    accessx to.
    My understanding was, i would just grant my clients access to the
    WAN interface (or the egress interface) so that they can surf the
    web etc. but at the same time are locked out to access other
    interfaces, until i create rules for it, thats the kind of
    configuration i am probably used to, due to my pfsense background.
    My question therefor is, how can i achieve a similar configuration
    with "pf" or maybe i am just interested what the best/common
    practice for that scenario is.



actually, the ruleset you have listed does exactly this.  the reason 
is, in order for client traffic to reach its destination, it has to 
make it past *two* pass rules, it must "pass in" to get into your pf 
router, and then it must "pass out" to go on to its destination.



your rules allow any traffic in, but then only allow traffic to the 
Internet to go out.  since you don't have any kind of "pass out on 
$private_if" rules, no traffic will be allowed to pass on to any other 
interfaces.  you could go to the trouble of adding block rules (e.g. 
block in quick on $int_if from $int_net to $private_net) but since you 
don't have any pass out on $private_if rules anyway, they would be 
spurious right now.



once you add pass out rules for your private interface(s), at that 
point you can decide whether you want to block client traffic on its 
way in, or on its way out.  either way works, as long as it gets 
blocked *somewhere*.


-ken
























					Reply via email to