PF Pf rules

I have the following rules.

Code:
### Packets from Internal Network ###

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass in on $intif proto tcp to $intif port $allowed_tcp_ports

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state

pass proto tcp to any port $allowed_tcp_ports
pass inet proto icmp all icmp-type $icmp_types keep state

What I want to achieve is this:

intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

What have I done wrong in my rules?
 
I have the following rules.

Code:
### Packets from Internal Network ###

pass in on $intif inet proto icmp all icmp-type $icmp_types keep state
pass in on $intif proto tcp to $intif port $allowed_tcp_ports

pass in on $extif inet proto icmp all icmp-type $icmp_types keep state

pass proto tcp to any port $allowed_tcp_ports
pass inet proto icmp all icmp-type $icmp_types keep state

What I want to achieve is this:

intif is on the internal network and will be the gateway to get out of the network. So from inside the network I want to be able to ping ssh and https to anything outside of the network via $extif. But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

client machine {ssh 192.168.0.50} >> gateway {10.10.10.10} >> forward to $extif >>> server {192.168.0.50 }
server {192.168.0.50 } ssh 10.10.10.10 >>> block ssh denied

What have I done wrong in my rules?
Its okay I figured it out
 
But, I do not want aynone to be able to use the SSH, https ports from outside the network to the $extif.

By default PF accepts everything. In order to block it, the simplest is to block everything, then only allow what you want.

Code:
block in on $extif all
 
Thanks SirDice,

Actually I didnt seem to figure it out but I will try what you said. Are my rules correct for what I want to achieve?
 
Your rules aren't quite right, or at the very least, should be written more clearly and with better performance in mind. To achieve the latter, I recommend only using quick rules, thus making pf a 'first match' firewall. For the former, I'd write them something like this:
Code:
pass in quick on $int_if inet proto tcp from $int_if:network to any port { 22, 443 }
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port { 22, 443 }

# ... additional rules here for ICMP or whatever ...

block quick all
 
Back
Top