Re: help configuring pf: one net can access other but not vice versa
On Sun, 9 May 2010 02:47:15 +0300, Jussi Peltola wrote:
> On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
> > Hello,
> >
> > I have the following network configuration:
> >
> > $ext_if -- wired interface, connected to my ISP's network, with a
> > real IP address, visible from the Intertubes.
> >
> > $int_if -- wired interface, to which comps on my home LAN are
> > connected
> >
> > $wifi_if -- wifi interface, working in host ap mode, free-for-all
> >
> > I've set up two NATs so that comps on $int_if:network and
> > $wifi_if:network could access the Intertubes.
> >
> > Now I want the following:
> > so that comps from $int_if:network could access $wifi_if:network
> > (say, ssh to comps over there) but not vice versa.
> >
> > How do I do this?
> >
> > Everything I try either ends up blocking all traffic or allowing
> > traffic both initiated from $int_if:network to $wifi_if:network and
> > vice versa in a strange way: only every second response gets to
> > destination, i.e. I see ping like:
> > seq_num: 2
> > seq_num: 4
> > ...etc
> >
> > Here's my current config file (with many failed attempts commented
> > out), system is 4.5:
> >
> > #
> > # See pf.conf(5) for syntax and examples; this sample ruleset uses
> > # require-order to permit mixing of NAT/RDR and filter rules.
> > # Remember to set net.inet.ip.forwarding=1 and/or
> > # net.inet6.ip6.forwarding=1 in /etc/sysctl.conf if packets are to
> > # be forwarded between interfaces.
> >
> > ext_if='fxp0'
> > int_if='sis0'
> > wifi_if='ral0'
> >
> > # Limit speed on wifi_if to 2 megabits
> > #altq on $wifi_if cbq bandwidth 2Mb queue std
> > #queue std bandwidth 100% cbq(default)
> >
> > # block return in all
> > # block return out all
> >
> > set require-order no
> >
> > set skip on lo
> > scrub in
> >
> > # NAT
> > nat on $ext_if from $int_if:network to any -> $ext_if
> > nat on $ext_if from $wifi_if:network to any -> $ext_if
> >
> > # NAT/filter rules and anchors for ftp-proxy(8)
> > #nat-anchor "ftp-proxy/*"
> > #rdr-anchor "ftp-proxy/*"
> > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
> > #anchor "ftp-proxy/*"
> > #pass out proto tcp from $proxy to any port ftp
> >
> > # Filter for $ext_if
> > block return in on $ext_if
> > pass in on $ext_if proto tcp from any to any port { www, 222 }
>
> this is unnecessarily broad. to $ext_if would be adequate.
>
> To do what you want to do, I'd write something like the following:
>
> set block-policy return
>
> antispoof quick for { $int_if, $wifi_if, $ext_if }
>
> block all
>
> pass out on $ext_if
> pass out on $wifi_if proto tcp from $int_if:network to
> $wifi_if:network port ssh pass in on $ext_if proto tcp to $ext_if
> port { www, 222 } pass in on $int_if
> pass in on $wifi_if
>
Worked like a charm, thanks!
Re: help configuring pf: one net can access other but not vice versa
On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
> Hello,
>
> I have the following network configuration:
>
> $ext_if -- wired interface, connected to my ISP's network, with a real
> IP address, visible from the Intertubes.
>
> $int_if -- wired interface, to which comps on my home LAN are connected
>
> $wifi_if -- wifi interface, working in host ap mode, free-for-all
>
> I've set up two NATs so that comps on $int_if:network and
> $wifi_if:network could access the Intertubes.
>
> Now I want the following:
> so that comps from $int_if:network could access $wifi_if:network (say,
> ssh to comps over there) but not vice versa.
>
> How do I do this?
>
> Everything I try either ends up blocking all traffic or allowing
> traffic both initiated from $int_if:network to $wifi_if:network and
> vice versa in a strange way: only every second response gets to
> destination, i.e. I see ping like:
> seq_num: 2
> seq_num: 4
> ...etc
>
> Here's my current config file (with many failed attempts commented out),
> system is 4.5:
>
> #
> # See pf.conf(5) for syntax and examples; this sample ruleset uses
> # require-order to permit mixing of NAT/RDR and filter rules.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if='fxp0'
> int_if='sis0'
> wifi_if='ral0'
>
> # Limit speed on wifi_if to 2 megabits
> #altq on $wifi_if cbq bandwidth 2Mb queue std
> #queue std bandwidth 100% cbq(default)
>
> # block return in all
> # block return out all
>
> set require-order no
>
> set skip on lo
> scrub in
>
> # NAT
> nat on $ext_if from $int_if:network to any -> $ext_if
> nat on $ext_if from $wifi_if:network to any -> $ext_if
>
> # NAT/filter rules and anchors for ftp-proxy(8)
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
> #anchor "ftp-proxy/*"
> #pass out proto tcp from $proxy to any port ftp
>
> # Filter for $ext_if
> block return in on $ext_if
> pass in on $ext_if proto tcp from any to any port { www, 222 }
this is unnecessarily broad. to $ext_if would be adequate.
To do what you want to do, I'd write something like the following:
set block-policy return
antispoof quick for { $int_if, $wifi_if, $ext_if }
block all
pass out on $ext_if
pass out on $wifi_if proto tcp from $int_if:network to $wifi_if:network port ssh
pass in on $ext_if proto tcp to $ext_if port { www, 222 }
pass in on $int_if
pass in on $wifi_if
help configuring pf: one net can access other but not vice versa
Hello,
I have the following network configuration:
$ext_if -- wired interface, connected to my ISP's network, with a real
IP address, visible from the Intertubes.
$int_if -- wired interface, to which comps on my home LAN are connected
$wifi_if -- wifi interface, working in host ap mode, free-for-all
I've set up two NATs so that comps on $int_if:network and
$wifi_if:network could access the Intertubes.
Now I want the following:
so that comps from $int_if:network could access $wifi_if:network (say,
ssh to comps over there) but not vice versa.
How do I do this?
Everything I try either ends up blocking all traffic or allowing
traffic both initiated from $int_if:network to $wifi_if:network and
vice versa in a strange way: only every second response gets to
destination, i.e. I see ping like:
seq_num: 2
seq_num: 4
...etc
Here's my current config file (with many failed attempts commented out),
system is 4.5:
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if='fxp0'
int_if='sis0'
wifi_if='ral0'
# Limit speed on wifi_if to 2 megabits
#altq on $wifi_if cbq bandwidth 2Mb queue std
#queue std bandwidth 100% cbq(default)
# block return in all
# block return out all
set require-order no
set skip on lo
scrub in
# NAT
nat on $ext_if from $int_if:network to any -> $ext_if
nat on $ext_if from $wifi_if:network to any -> $ext_if
# NAT/filter rules and anchors for ftp-proxy(8)
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021
#anchor "ftp-proxy/*"
#pass out proto tcp from $proxy to any port ftp
# Filter for $ext_if
block return in on $ext_if
pass in on $ext_if proto tcp from any to any port { www, 222 }
# Filter for $wifi_if
#block return in on $wifi_if
#pass in quick on $wifi_if from any to $wifi_if:network
#pass in on $wifi_if from $wifi_if:network to { ! $wifi_if, ! $int_if:network }
#pass in quick on $wifi_if from $int_if:network to any
#block return in on $int_if from $wifi_if:network to any
#block return in on $wifi_if from any to { $wifi_if, $int_if:network }
antispoof log quick for $ext_if
antispoof log quick for $int_if
antispoof log quick for $wifi_if
