PF I am in the correct way?

[wolffnx]

My idea is make a firewall for my office,pretty simple

1)block all traffic from the LAN to the proxy,and from the outside
2)permit some ports from the LAN to the proxy(ssh,squid,etc)
3)permit some ports from the WAN to the proxy(ssh)

so far i made this:

#external
ext="bce0"
#internal
int="bce1"
ports="(53,3128,80,443)"
ports-udp="(53)"
nat on $ext inet from !(ext) -> ($ext)
set skip on lo0

block in on $ext all
#if i use this the LAN traffic is not allowed,not even with the pass in rule
#block in on $int all

pass in on $int inet proto tcp from any to any port $ports keep state
pass in on $int inet proto udp from any to any port $ports-udp

pass in on $ext inet proto tcp from any to any port 22 keep state
pass out on $ext inet proto tcp from any to any port $ports keep state
pass out on $ext inet proto udp from any to any port $ports-udp

pass in on $ext proto icmp
pass in on $int proto icmp

so,until now i can forward traffic from the LAN to the proxy,and deny/access
ports from the WAN to the proxy(ssh).
the machines in the lan has set up as gateway the proxy.
but everything pass to the proxy(any port,web,torrent,etc)

 

[Lamia]

You may need some RDR (redirect) rules e.g.

# RDR rules
rdr pass on $ext_if proto tcp from any to $ip_public port $ports -> $ip_public2

 

[wolffnx]

You may need some RDR (redirect) rules e.g.
# RDR rules
rdr pass on $ext_if proto tcp from any to $ip_public port $ports -> $ip_public2

yes, i have already done for squid

rdr pass  inet proto tcp from any  to any  port 80 -> 127.0.0.1  port 3128

i like the simplicity of the rules

 

[Lamia]

You are not providing detailed information in order for us to assist you then. You are also not clearly mentioning what the problem is.

 

[wolffnx]

i was search for advise on make a firewall with PF, based in the one a made,i'm not searching for a solution for a problem