On 2024-12-29 10:14, Jon Fineman wrote:
> On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
>> On 2024-12-24 08:27, Jon Fineman wrote:
>>>>
>>>>> third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
>>>>> between it
>>>>> and the ISP. Clients on 10.0.3.x should not be able to access the
>>>>> other sub nets.
>>
>> Some notes:
>> - You wrote that you want to restrict traffic between $wired3 and the
>> ISP, but I don't see that in your rules. In addition to blocking all
>> traffic between $wired3 and the other subnets, do you also want to
>> prevent all $wired3 traffic from leaving your network (Internet
>> access)?
>
> That was a poor choice of words. By restrict I meant I would like
> traffic to pass between $wired3 and $isp. I.e. restrict that traffic to
> that path.
Okay, now I understand.
> Thank you both for your help.
>
> It turns out my understanding and test case was poor.
>
> My test case was placing a laptop on the $wwired3 subnet and seeing
> what it could access. I could get out to the internet (good). I could
> also reach devices on my old network (bad). I didn't have any other
> devices on $wired1 or $wired2 at this point to test.
>
> I mentally associated $isp with well my ISP. That was flawed as it
> really was just my upstream connection to my ISP and my old network. So
> my laptop was able to reach my old network via the $isp connection
> which was explicitly allowed (lack of rule for that).
>
> So there is a rule for that now until I completely migrate over. Also I
> have another device on $wired1 which it can't access (good).
>
> At least now I have a much better understanding of the PF rules. Not
> great but better.
>
> Thanks.
>
> Jon
That's good. Just keep at it, read the man pages, learn from other pf
configuration files you come across, and put it all together.
No comments:
Post a Comment