Re: help configuring pf: one net can access other but not vice versa
On Sun, 9 May 2010 02:47:15 +0300, Jussi Peltola wrote: > On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote: > > Hello, > > > > I have the following network configuration: > > > > $ext_if -- wired interface, connected to my ISP's network, with a > > real IP address, visible from the Intertubes. > > > > $int_if -- wired interface, to which comps on my home LAN are > > connected > > > > $wifi_if -- wifi interface, working in host ap mode, free-for-all > > > > I've set up two NATs so that comps on $int_if:network and > > $wifi_if:network could access the Intertubes. > > > > Now I want the following: > > so that comps from $int_if:network could access $wifi_if:network > > (say, ssh to comps over there) but not vice versa. > > > > How do I do this? > > > > Everything I try either ends up blocking all traffic or allowing > > traffic both initiated from $int_if:network to $wifi_if:network and > > vice versa in a strange way: only every second response gets to > > destination, i.e. I see ping like: > > seq_num: 2 > > seq_num: 4 > > ...etc > > > > Here's my current config file (with many failed attempts commented > > out), system is 4.5: > > > > # > > # See pf.conf(5) for syntax and examples; this sample ruleset uses > > # require-order to permit mixing of NAT/RDR and filter rules. > > # Remember to set net.inet.ip.forwarding=1 and/or > > # net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to > > # be forwarded between interfaces. > > > > ext_if='fxp0' > > int_if='sis0' > > wifi_if='ral0' > > > > # Limit speed on wifi_if to 2 megabits > > #altq on $wifi_if cbq bandwidth 2Mb queue std > > #queue std bandwidth 100% cbq(default) > > > > # block return in all > > # block return out all > > > > set require-order no > > > > set skip on lo > > scrub in > > > > # NAT > > nat on $ext_if from $int_if:network to any -> $ext_if > > nat on $ext_if from $wifi_if:network to any -> $ext_if > > > > # NAT/filter rules and anchors for ftp-proxy(8) > > #nat-anchor "ftp-proxy/*" > > #rdr-anchor "ftp-proxy/*" > > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 > > #anchor "ftp-proxy/*" > > #pass out proto tcp from $proxy to any port ftp > > > > # Filter for $ext_if > > block return in on $ext_if > > pass in on $ext_if proto tcp from any to any port { www, 222 } > > this is unnecessarily broad. to $ext_if would be adequate. > > To do what you want to do, I'd write something like the following: > > set block-policy return > > antispoof quick for { $int_if, $wifi_if, $ext_if } > > block all > > pass out on $ext_if > pass out on $wifi_if proto tcp from $int_if:network to > $wifi_if:network port ssh pass in on $ext_if proto tcp to $ext_if > port { www, 222 } pass in on $int_if > pass in on $wifi_if > Worked like a charm, thanks!
Re: help configuring pf: one net can access other but not vice versa
On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote: > Hello, > > I have the following network configuration: > > $ext_if -- wired interface, connected to my ISP's network, with a real > IP address, visible from the Intertubes. > > $int_if -- wired interface, to which comps on my home LAN are connected > > $wifi_if -- wifi interface, working in host ap mode, free-for-all > > I've set up two NATs so that comps on $int_if:network and > $wifi_if:network could access the Intertubes. > > Now I want the following: > so that comps from $int_if:network could access $wifi_if:network (say, > ssh to comps over there) but not vice versa. > > How do I do this? > > Everything I try either ends up blocking all traffic or allowing > traffic both initiated from $int_if:network to $wifi_if:network and > vice versa in a strange way: only every second response gets to > destination, i.e. I see ping like: > seq_num: 2 > seq_num: 4 > ...etc > > Here's my current config file (with many failed attempts commented out), > system is 4.5: > > # > # See pf.conf(5) for syntax and examples; this sample ruleset uses > # require-order to permit mixing of NAT/RDR and filter rules. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if='fxp0' > int_if='sis0' > wifi_if='ral0' > > # Limit speed on wifi_if to 2 megabits > #altq on $wifi_if cbq bandwidth 2Mb queue std > #queue std bandwidth 100% cbq(default) > > # block return in all > # block return out all > > set require-order no > > set skip on lo > scrub in > > # NAT > nat on $ext_if from $int_if:network to any -> $ext_if > nat on $ext_if from $wifi_if:network to any -> $ext_if > > # NAT/filter rules and anchors for ftp-proxy(8) > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 > #anchor "ftp-proxy/*" > #pass out proto tcp from $proxy to any port ftp > > # Filter for $ext_if > block return in on $ext_if > pass in on $ext_if proto tcp from any to any port { www, 222 } this is unnecessarily broad. to $ext_if would be adequate. To do what you want to do, I'd write something like the following: set block-policy return antispoof quick for { $int_if, $wifi_if, $ext_if } block all pass out on $ext_if pass out on $wifi_if proto tcp from $int_if:network to $wifi_if:network port ssh pass in on $ext_if proto tcp to $ext_if port { www, 222 } pass in on $int_if pass in on $wifi_if
help configuring pf: one net can access other but not vice versa
Hello, I have the following network configuration: $ext_if -- wired interface, connected to my ISP's network, with a real IP address, visible from the Intertubes. $int_if -- wired interface, to which comps on my home LAN are connected $wifi_if -- wifi interface, working in host ap mode, free-for-all I've set up two NATs so that comps on $int_if:network and $wifi_if:network could access the Intertubes. Now I want the following: so that comps from $int_if:network could access $wifi_if:network (say, ssh to comps over there) but not vice versa. How do I do this? Everything I try either ends up blocking all traffic or allowing traffic both initiated from $int_if:network to $wifi_if:network and vice versa in a strange way: only every second response gets to destination, i.e. I see ping like: seq_num: 2 seq_num: 4 ...etc Here's my current config file (with many failed attempts commented out), system is 4.5: # # See pf.conf(5) for syntax and examples; this sample ruleset uses # require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if='fxp0' int_if='sis0' wifi_if='ral0' # Limit speed on wifi_if to 2 megabits #altq on $wifi_if cbq bandwidth 2Mb queue std #queue std bandwidth 100% cbq(default) # block return in all # block return out all set require-order no set skip on lo scrub in # NAT nat on $ext_if from $int_if:network to any -> $ext_if nat on $ext_if from $wifi_if:network to any -> $ext_if # NAT/filter rules and anchors for ftp-proxy(8) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 #anchor "ftp-proxy/*" #pass out proto tcp from $proxy to any port ftp # Filter for $ext_if block return in on $ext_if pass in on $ext_if proto tcp from any to any port { www, 222 } # Filter for $wifi_if #block return in on $wifi_if #pass in quick on $wifi_if from any to $wifi_if:network #pass in on $wifi_if from $wifi_if:network to { ! $wifi_if, ! $int_if:network } #pass in quick on $wifi_if from $int_if:network to any #block return in on $int_if from $wifi_if:network to any #block return in on $wifi_if from any to { $wifi_if, $int_if:network } antispoof log quick for $ext_if antispoof log quick for $int_if antispoof log quick for $wifi_if