On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
>On 12/23/24 19:31, Jon Fineman wrote:
>
>>third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it
>>and the ISP. Clients on 10.0.3.x should not be able to access the
>>other sub nets.
>
>Take a look at the rules from your pf.conf:
>
>> block out quick from $wired3 to { $wired1 $wired2 }
>
>and what they get translated to:
>
>> block drop out quick inet from 10.0.3.1 to 10.0.1.1
>> block drop out quick inet from 10.0.3.1 to 10.0.2.1
>
>So apparently $wired1 $wired2 are not the network behind them, but
>only the interface itself, as is $wired3.
>
>You might want:
>
>block quick from em3:network to { em1:network em2:network }
>
>instead.
>
>best /m
>
I haven't been able to get that to work. And I have triple checked I
am plugged in to the correct ports.
In addition I changed my rules a bit to restrict to just ipv4 to
simplify things a bit.
So a snippet of the change is:
block quick from em3:network to { em1:network em2:network }
pass out quick inet from $wired3 to $isp
pass in on { $isp $wired1 $wired2 $wired3 } inet
pass out inet from { $isp $wired1 $wired2 }
And the pfctl output is:
block drop all
block drop quick inet from 10.0.3.0/24 to 10.0.1.0/24
block drop quick inet from 10.0.3.0/24 to 10.0.2.0/24
pass out quick inet from 10.0.3.1 to 10.0.0.99 flags S/SA
pass in on em0 inet all flags S/SA
pass in on em1 inet all flags S/SA
pass in on em2 inet all flags S/SA
pass in on em3 inet all flags S/SA
pass out inet from 10.0.0.99 to any flags S/SA
pass out inet from 10.0.1.1 to any flags S/SA
pass out inet from 10.0.2.1 to any flags S/SA
No comments:
Post a Comment