PF PF firewall

A

aabaab

Hi,
I have a public interface (vlan99) configured on my machine (FreeBSD machine 13.1-RELEASE FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC amd64). I have configured the DNS on it and I want to configure PF firewall for only this public interface (vlan99) in a way that traffic for only port 53 from a network say 192.168.10.0/24 is allowed on this interface rest all of the traffic is blocked when destined for this interface. Can anyone help me write this rule ?

Regards
 
aabaab said:
I have configured the DNS on it and I want to configure PF firewall for only this public interface (vlan99) in a way that traffic for only port 53 from a network say 192.168.10.0/24 is allowed on this interface rest all of the traffic is blocked when destined for this interface.
Click to expand...
Pretty simple ruleset.

Code: 
ext_if="vlan99"

block in all
pass in on $ext_if inet proto {udp,tcp} from 192.168.10.0/24 to ($ext_if) port 53

And update your system, 13.1-RELEASE is now end-of-life and not supported any more.
 
There are other interfaces as well like vlan97, vlan98 etc on my machine, what would make this rule stick only with the interface vlan99 ?
I am wondering if block in all will block all the traffic i.e. traffic destined to interfaces like vlan97 and vlan98.
 
aabaab said:
what would make this rule stick only with the interface vlan99 ?
Click to expand...
This line:
Code: 
ext_if="vlan99"

aabaab said:
I am wondering if block in all will block all the traffic i.e. traffic destined to interfaces like vlan97 and vlan98.
Click to expand...
Yes it will. You'll need to create whitelist rules for those as well given the example above.
There are basically two approaches: Blacklisting and Whitelisting. For most firewalls, you'd do whitelisting meaning that the first rule blocks all (incoming) connections and then you add the rules necessary to pass the traffic as desired.
 
BTW, upgrading the 13.1-RELEASE to 13.2-RELEASE is smooth ? or is it bumpy ? like it could break services ?
 
The following lines should do the trick ? I guess.

Code: 
set skip on vlan97
set skip on vlan98
block in all
pass in on vlan99 inet proto {udp,tcp} from 192.168.10.0/24 to vlan99 port 53
 
I suggest you actually read pf.conf(5) and try to understand how things work before making assumptions.

Code: 
     set skip on <ifspec>
	   List	interfaces for which packets should not	be filtered.  Packets
	   passing in or out on	such interfaces	are passed as if pf was	dis-
	   abled, i.e. pf does not process them	in any way.  This can be use-
	   ful on loopback and other virtual interfaces, when packet filtering
	   is not desired and can have unexpected effects.  For	example:
Note how it says it will pass everything and ignore any and all rules you may have put in place. Which is the exact opposite of what you're trying to accomplish.

aabaab said:
BTW, upgrading the 13.1-RELEASE to 13.2-RELEASE is smooth ?
Click to expand...
Smooth as a baby's bottom.
aabaab said:
like it could break services ?
Click to expand...
It shouldn't. Keeping 13.1 may actually break things as the package repos are now being built for 13.2 specifically.
 
aabaab said:
The following lines should do the trick ? I guess.

Code: 
set skip on vlan97
set skip on vlan98
block in all
pass in on vlan99 inet proto {udp,tcp} from 192.168.10.0/24 to vlan99 port 53
Click to expand...
Yes, but that allows all inbound and outbound traffic over interfaces vlan97 and vlan98.
 
You must log in or register to reply here.
Back
Top