On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
>On 2024-12-24 08:27, Jon Fineman wrote:
>>>
>>>>third sub net ($wired3) (10.0.3.x) I would like to restrict
>>>>traffic between it
>>>>and the ISP. Clients on 10.0.3.x should not be able to access the
>>>>other sub nets.
>
>Some notes:
>- You wrote that you want to restrict traffic between $wired3 and the
> ISP, but I don't see that in your rules. In addition to blocking all
> traffic between $wired3 and the other subnets, do you also want to
> prevent all $wired3 traffic from leaving your network (Internet
> access)?
That was a poor choice of words. By restrict I meant I would like
traffic to pass between $wired3 and $isp. I.e. restrict that traffic
to that path.
Thank you both for your help.
It turns out my understanding and test case was poor.
My test case was placing a laptop on the $wwired3 subnet and seeing
what it could access. I could get out to the internet (good). I could
also reach devices on my old network (bad). I didn't have any other
devices on $wired1 or $wired2 at this point to test.
I mentally associated $isp with well my ISP. That was flawed as it
really was just my upstream connection to my ISP and my old network.
So my laptop was able to reach my old network via the $isp connection
which was explicitly allowed (lack of rule for that).
So there is a rule for that now until I completely migrate over. Also
I have another device on $wired1 which it can't access (good).
At least now I have a much better understanding of the PF rules. Not
great but better.
Thanks.
Jon
No comments:
Post a Comment