I'm trying to build a gateway machine for my home network. The firewall needs to block everything from outside by default, and allow anything originating from inside. Obviously I will need NAT to translate between the internal/external address spaces.
I've never used PF on FreeBSD, so I decided to build my rules up from simple examples. I
I first tried the example NAT ruleset from the FreeBSD Handbook and it seem to pass any traffic from internal hosts at all.
If I remove the block all, then it seems to work.
I found another similar ruleset online:
and that passes traffic fine. I'm confused about the role for block in these two examples.
Either the rules from the handbook are incomplete or incorrect. What am I missing?
I've never used PF on FreeBSD, so I decided to build my rules up from simple examples. I
I first tried the example NAT ruleset from the FreeBSD Handbook and it seem to pass any traffic from internal hosts at all.
Code:
ext_if = "igb0" # macro for external interface - use tun0 for PPPoE
int_if = "igb1" # macro for internal interface
localnet = $int_if:network
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state
If I remove the block all, then it seems to work.
I found another similar ruleset online:
Code:
ext_if="igb0" # change this
set skip on lo0
nat on $ext_if from any to any -> ($ext_if)
block in on $ext_if
and that passes traffic fine. I'm confused about the role for block in these two examples.
Either the rules from the handbook are incomplete or incorrect. What am I missing?