This is how I usually build up my filters....
I left everything out except the rules and variables. Maybe it can give
you some hints.
-pf.conf----------------
LAN_INT="em0"
DMZ1_INT="fxp0"
INTERNET_INT="fxp1"
ALL_INTERFACES="{" $LAN_INT $DMZ1_INT $INTERNET_INT "}"
# SETTING SOME DEFAULTS
block log all
pass out on $ALL_INTERFACES inet proto {udp, icmp} all keep state
pass out on $ALL_INTERFACES inet proto tcp all flags S/SA keep state
pass quick on lo0 all keep state
# FROM LAN
pass in quick on $LAN_INT inet proto icmp from $LAN_INT:network to any
icmp-type { 11 code 0 , 3 code 1 , 8 code 0 } keep state
pass in quick on $LAN_INT inet proto tcp from $LAN_INT:network to any
flags S/SA keep state
pass in quick on $LAN_INT inet proto udp from $LAN_INT:network to any
keep state
# FROM INTERNET
# Dont know what you got here. But nothing here denies traffic from Internet
FROM DMZ
# Dont know what you got here. But nothing here denies traffic from DMZ
# We can add SSH traffic to everywhere as an example
pass in quick on $DMZ1_INT inet proto tcp from $DMZ1_INT:network to any
port 22 flags S/SA keep state
--------------------
Regards
/Per-Olov
Drain Fade said:
> I've got a triple NIC pf NAT box with an external NIC to the Internet, an
> internal to a DMZ, and the third is to a LAN. I want to block traffic from
> the DMZ to the LAN, but allow traffic from the LAN to the DMZ (allow
> certain traffic of course that I closely define ;) I've tried a few
> different blocking techniques on the external from the dmz to the lan and
> on the internal interfaces unsuccessfully. It either allows traffic or I
> lock myself out ;) Can anyone help out with some direction in creating the
> right rule(s) to achieve this ? All my filtering is on the external
> interface with a few redirections to my DMZ (and a few redirections on the
> internal_if for name resolution to the DMZ). Thanks in advance....
> --
> Allie
>
>
>
>
