I've got pf.conf set up like this on a NAT box-
With this, the NAT itself can be reached via SSH and get out to fetch updates, but it doesn't allow private subnet machines out to fetch updates (via
...the private subnet box can then fetch updates just fine. I don't want to leave the NAT firewall totally open, so how can I limit the ports (as I attempted above) while still allowing the private subnet boxes to get updates? On all boxes, I've got the
Thanks for any help.
Code:
ext_if = "xn0"
scrub in all
nat on $ext_if inet from ! $ext_if to any -> $ext_if
block all
set skip on lo0
pass in log on $ext_if proto tcp from any to self port {22}
pass out log on $ext_if proto tcp to any port { 80, 443}
With this, the NAT itself can be reached via SSH and get out to fetch updates, but it doesn't allow private subnet machines out to fetch updates (via
freebsd-update fetch
). If I replace the last two lines with-
Code:
pass in all
pass out all
...the private subnet box can then fetch updates just fine. I don't want to leave the NAT firewall totally open, so how can I limit the ports (as I attempted above) while still allowing the private subnet boxes to get updates? On all boxes, I've got the
freebsd-update
servers listed in /etc/hosts.Thanks for any help.