Brian,
The variable $ext_if:network resolves to the network subnet of the
interface. First do a "pfctl -sr" and look at the rule in question. Then
notice the ip addresses in that rule. If you are trying to goto google.com,
but $ext_if:network resolves to a /24 network address then google.com is
not accessible.
You could always try setting up a table will ips/subnets of your network
you do not want the wifi network to goto called $my_localnets. Then use the
not (!) operator to say, wifi can go anywhere but not (!) $my_localnets.
my_localnets = {10.10.10/24, 10.20.20/24}
pass in on $wifi_if from $wifi_if:network to !$my_localnets
Hope this helps.
OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Mon, Feb 25, 2008 at 10:34:24PM -0600, Brian Johnson wrote:
>Hi everyone,
>
>I'm having some trouble figuring out why one of my PF rules isn't
>working. I have my wireless network in it's own subnet. (Internal
>and DMZ are also subnetted, DMZ currently not being used.) I don't
>want wireless clients to have open access to my other subnets, so I
>have a default "block in" on the $wifi_if. But I want to allow any
>traffic from the wireless network to pass through to the outside
>world. I tried using the following rule to accomplish this:
>
> pass in on $wifi_if from $wifi_if:network to $ext_if:network
>
>But it does not seem to work. I know it's not a routing issue because
>if I change it to this it works fine:
>
> pass in on $wifi_if from $wifi_if:network to any
>
>But that obviously allows full access to all my other subnets, which I
>don't want. So if anyone can help me understand why this isn't
>working the way I think it should, I would be very grateful! I will
>include my full pf.conf below for reference.
>
>Thanks!
>--Brian Johnson
>
>
>
># $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
>#
># See pf.conf(5) and /usr/share/pf for syntax and examples.
># Remember to set net.inet.ip.forwarding=1 and/or
>net.inet6.ip6.forwarding=1
># in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
>## MACROS ##
>ext_if = "rl0"
>int_if = "rl1"
>dmz_if = "sis0"
>wifi_if = "sis1"
>www_srv = "192.168.1.3"
>mail_srv = "192.168.1.3"
>www_ports = "{ http, https }"
>mail_ports = "{ smtp, submission, imaps }"
>
>## OPTIONS ##
>set block-policy return
>set loginterface $ext_if
>set skip on lo0
>
>## NORMALIZATION ##
>scrub in all
>
>## TRANSLATION ##
>nat on $ext_if from !($ext_if) to any -> ($ext_if) static-port
>
>rdr on $ext_if proto tcp from any to any port $www_ports -> $www_srv
>rdr on $ext_if proto tcp from any to any port $mail_ports -> $mail_srv
>rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
>nat-anchor "ftp-proxy/*"
>rdr-anchor "ftp-proxy/*"
>
>## FILTERING ##
>block in all
>
>antispoof quick for { $int_if, $dmz_if, $wifi_if }
>
>pass quick on $int_if
>
>pass in on $ext_if proto tcp from any to ($ext_if) port ssh
>pass in on $ext_if proto tcp from any to $www_srv port $www_ports
>synproxy state
>pass in on $ext_if proto tcp from any to $mail_srv port $mail_ports
>synproxy state
>
># This is probably redundant since we're only blocking "in"
>pass out on $ext_if proto { tcp, udp, icmp } all modulate state
>
>#pass in on $wifi_if from $wifi_if:network to any
>pass in on $wifi_if from $wifi_if:network to $ext_if:network
>pass in on $wifi_if proto tcp from $wifi_if:network to $wifi_if port ssh
>pass in on $wifi_if proto tcp from $wifi_if:network to $www_srv port
>$www_ports synproxy state
>pass in on $wifi_if proto tcp from $wifi_if:network to $mail_srv port
>$mail_ports synproxy state
>pass out on $wifi_if from any to $wifi_if:network
>
>pass in inet proto icmp all icmp-type echoreq
>
>anchor "ftp-proxy/*"
