Hi Brian,
This rule:
pass in on $wifi_if from $wifi_if:network to $ext_if:network
just permit a communication of wifi network to ext network, not wifi
network to world
I think you can use this rule to your solution:
pass in on $wifi_if from $wifi_if:network to !(your subnets)
--
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com
On 26/02/2008, Brian Johnson <[EMAIL PROTECTED]> wrote:
> Hi everyone,
>
> I'm having some trouble figuring out why one of my PF rules isn't
> working. I have my wireless network in it's own subnet. (Internal
> and DMZ are also subnetted, DMZ currently not being used.) I don't
> want wireless clients to have open access to my other subnets, so I
> have a default "block in" on the $wifi_if. But I want to allow any
> traffic from the wireless network to pass through to the outside
> world. I tried using the following rule to accomplish this:
>
> pass in on $wifi_if from $wifi_if:network to $ext_if:network
>
> But it does not seem to work. I know it's not a routing issue because
> if I change it to this it works fine:
>
> pass in on $wifi_if from $wifi_if:network to any
>
> But that obviously allows full access to all my other subnets, which I
> don't want. So if anyone can help me understand why this isn't
> working the way I think it should, I would be very grateful! I will
> include my full pf.conf below for reference.
>
> Thanks!
> --Brian Johnson
>
>
>
> # $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ## MACROS ##
> ext_if = "rl0"
> int_if = "rl1"
> dmz_if = "sis0"
> wifi_if = "sis1"
> www_srv = "192.168.1.3"
> mail_srv = "192.168.1.3"
> www_ports = "{ http, https }"
> mail_ports = "{ smtp, submission, imaps }"
>
> ## OPTIONS ##
> set block-policy return
> set loginterface $ext_if
> set skip on lo0
>
> ## NORMALIZATION ##
> scrub in all
>
> ## TRANSLATION ##
> nat on $ext_if from !($ext_if) to any -> ($ext_if) static-port
>
> rdr on $ext_if proto tcp from any to any port $www_ports -> $www_srv
> rdr on $ext_if proto tcp from any to any port $mail_ports -> $mail_srv
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> ## FILTERING ##
> block in all
>
> antispoof quick for { $int_if, $dmz_if, $wifi_if }
>
> pass quick on $int_if
>
> pass in on $ext_if proto tcp from any to ($ext_if) port ssh
> pass in on $ext_if proto tcp from any to $www_srv port $www_ports
> synproxy state
> pass in on $ext_if proto tcp from any to $mail_srv port $mail_ports
> synproxy state
>
> # This is probably redundant since we're only blocking "in"
> pass out on $ext_if proto { tcp, udp, icmp } all modulate state
>
> #pass in on $wifi_if from $wifi_if:network to any
> pass in on $wifi_if from $wifi_if:network to $ext_if:network
> pass in on $wifi_if proto tcp from $wifi_if:network to $wifi_if port ssh
> pass in on $wifi_if proto tcp from $wifi_if:network to $www_srv port
> $www_ports synproxy state
> pass in on $wifi_if proto tcp from $wifi_if:network to $mail_srv port
> $mail_ports synproxy state
> pass out on $wifi_if from any to $wifi_if:network
>
> pass in inet proto icmp all icmp-type echoreq
>
> anchor "ftp-proxy/*"
>
