Hello,
I’m trying to setup a natting firewall in which the internal network (int_if:network) *only* has access to the internet and udp-port 53 (domain) on the firewall. When I’m using pf.conf given beneath it is possible to access all servers on the firewall...
If I track a package (say tcp port 22 to $int_if) on the inbound network I will get the following:
1.) block log all
default block policy
2.) pass in on $int_if proto udp from $int_if:network to $int_if port $int_udp keep state
package is not accepted on $int_if because of tcp-port 22
3.) pass in on $int_if from $int_if:network to !$int_if:network keep state
package is still not accepted because of !$int_if:network (=any except the internal network).
Unfortunately, in the real world this does not work and the package reaches its destination. Any suggestion?
here is two as a start:
1) "to !$int_if:network" will only work as you intend if there is only one IP address assigned to $int_if. If there is more, it will fail. please show the content of "pfctl -sr". as a workaround, you can use !($int_if:network).
2) You want to prevent PPL in your internal network to connect to your firewall, but the rules that you show here won't prevent ppl to access the external IP address of your firewall ($ext_if).
Cedric
