PF: Block outgoing connections

[CodeBlock]

I have a server in my LAN and I want the server to be able to make outgoing connections to the internet. However I don't want it to be able to touch the rest of my LAN. For example `ping 4.2.2.2` should work, but `ping 10.10.10.209` should not.

I was informed that this is possible with pf, but I haven't used pf yet. I would like to learn it, but have tried to find a config used in a similar situation and came up with nothing (I learn by example).

So.... two questions - 1) Is pf the best choice to do this, or would I be better doing something before the server (like vlanning at the switch level), 2) Could you throw me a sample config which does something like what I need? Or at least point me in the right direction?

Thanks

 

[dennylin93]

PF should be able to do this easily. The syntax is quite easy to understand.

block all
pass in from any to any port ssh
pass out from any to ! 10.0.0.0/8

Some stuff that I've found useful:
pf.conf()
pfctl()
PF FAQ
Firewalling with OpenBSD's PF packet filter

 

[honk]

If you want to seperate the server from the rest of your lan (because you don't trust him), put him in an own vlan/dmz. Filtering on the server himself makes no sense. You can use pf to build the firewall which connects/controls between internal LAN, DMZ and Internet.