Hi everyone,
I'm having some trouble figuring out why one of my PF rules isn't
working. I have my wireless network in it's own subnet. (Internal
and DMZ are also subnetted, DMZ currently not being used.) I don't
want wireless clients to have open access to my other subnets, so I
have a default "block in" on the $wifi_if. But I want to allow any
traffic from the wireless network to pass through to the outside
world. I tried using the following rule to accomplish this:
pass in on $wifi_if from $wifi_if:network to $ext_if:network
But it does not seem to work. I know it's not a routing issue because
if I change it to this it works fine:
pass in on $wifi_if from $wifi_if:network to any
But that obviously allows full access to all my other subnets, which I
don't want. So if anyone can help me understand why this isn't
working the way I think it should, I would be very grateful! I will
include my full pf.conf below for reference.
Thanks!
--Brian Johnson
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
## MACROS ##
ext_if = "rl0"
int_if = "rl1"
dmz_if = "sis0"
wifi_if = "sis1"
www_srv = "192.168.1.3"
mail_srv = "192.168.1.3"
www_ports = "{ http, https }"
mail_ports = "{ smtp, submission, imaps }"
## OPTIONS ##
set block-policy return
set loginterface $ext_if
set skip on lo0
## NORMALIZATION ##
scrub in all
## TRANSLATION ##
nat on $ext_if from !($ext_if) to any -> ($ext_if) static-port
rdr on $ext_if proto tcp from any to any port $www_ports -> $www_srv
rdr on $ext_if proto tcp from any to any port $mail_ports -> $mail_srv
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
## FILTERING ##
block in all
antispoof quick for { $int_if, $dmz_if, $wifi_if }
pass quick on $int_if
pass in on $ext_if proto tcp from any to ($ext_if) port ssh
pass in on $ext_if proto tcp from any to $www_srv port $www_ports
synproxy state
pass in on $ext_if proto tcp from any to $mail_srv port $mail_ports
synproxy state
# This is probably redundant since we're only blocking "in"
pass out on $ext_if proto { tcp, udp, icmp } all modulate state
#pass in on $wifi_if from $wifi_if:network to any
pass in on $wifi_if from $wifi_if:network to $ext_if:network
pass in on $wifi_if proto tcp from $wifi_if:network to $wifi_if port ssh
pass in on $wifi_if proto tcp from $wifi_if:network to $www_srv port
$www_ports synproxy state
pass in on $wifi_if proto tcp from $wifi_if:network to $mail_srv port
$mail_ports synproxy state
pass out on $wifi_if from any to $wifi_if:network
pass in inet proto icmp all icmp-type echoreq
anchor "ftp-proxy/*"
