Hey,
To make a long story short - I have a network with a not-so-trusted machine. So I have it on it's own physical network and I have two internal nics in my gatway. I'm trying to achieve no nat between my internal networks but I can still ping between them. Also the not-so-trusted machine has been able to be accesssed from the outside without any redirection which makes me nervous. Is this pf.conf doing what I want? Thanks for your help.



ext_if="rl0"
int_if1="rl1"
int_if2="rl2"
int_ifs="{" $int_if1 $int_if2 "}"



subnet1="rl1:network"
subnet2="rl2:network"

privnets = "{ 172.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8}"


nat_proto = "{tcp, udp, icmp}"


# options
set block-policy return

scrub in all#
scrub out all random-id


no nat on {$int_if1, $int_if2} inet proto $nat_proto from $subnet1 to $subnet2
no nat on {$int_if1, $int_if2} inet proto $nat_proto from $subnet2 to $subnet1

nat on $ext_if inet proto $nat_proto from $subnet1 to any tag SUB1 -> ($ext_if)
nat on $ext_if inet proto $nat_proto from $subnet2 to any tag SUB2 -> ($ext_if)




block log all

pass quick on lo0 # { lo $int_if }



pass in quick on $int_if1 from $subnet1 to any flags S/SA keep state label "intranet1 bound"
pass in quick on $int_if2 from $subnet2 to any flags S/SA keep state label "intranet2 bound"

pass out quick on $int_if1 from {$subnet1, $subnet2} to $subnet1 flags S/SA keep state label "intranet1 outbound"

pass out quick on $int_if2 from {$subnet1, $subnet2} to $subnet2 flags S/SA keep state label "intranet2 inbound"

#udp
pass in quick on $int_if1 proto udp from $subnet1 to any keep state label "intranet1 udp inbound"
pass in quick on $int_if2 proto udp from $subnet2 to any keep state label "intranet2 udp inbound"
pass out quick on $int_if1 proto udp from {$subnet1, $subnet2} to $subnet1 keep state label "intranet1 udp outbound"
pass out quick on $int_if2 proto udp from {$subnet1, $subnet2} to $subnet2 keep state label "intranet2 udp outbound"


pass out on $ext_if from ($ext_if) to any flags S/SA modulate state

block drop in quick on $ext_if from $privnets to any
block out quick on $ext_if from any to $privnets

block return-icmp in log quick on $ext_if proto tcp from any to ($ext_if) port auth

Apparently not ...

You need a block in log quick from $subnet 1 to $subnet2 in there somewhere (assuming $subnet1 is the untrusted machine). Right after pass quick on lo0 # { lo $int_if } should work. Also, these 4 rules are what's causing you grief, not NAT:

pass in quick on $int_if1 from $subnet1 to any flags S/SA keep state label "intranet1 bound"
pass in quick on $int_if2 from $subnet2 to any flags S/SA keep state label "intranet2 bound"
pass out quick on $int_if1 from {$subnet1, $subnet2} to $subnet1 flags S/SA keep state label "intranet1 outbound"
pass out quick on $int_if2 from {$subnet1, $subnet2} to $subnet2 flags S/SA keep state label "intranet2 inbound"

Sounds like you want to block that traffic, but here you explicitly allow it (same for the UDP rules below them).

Also, change this:
privnets = "{ 172.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8}"
to this:
privnets = "{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"
All of the 192.168.0.0/24 class Cs are private. 172.0.0.0/8 isn't correct either (it's not a class A, and even if it were, part of it is public).