Quote:
Originally posted by jimbeaujones
Is this pf.conf doing what I want?
|
Apparently not ...
You need a
block in log quick from $subnet 1 to $subnet2 in there somewhere (assuming $subnet1 is the untrusted machine). Right after
pass quick on lo0 # { lo $int_if } should work. Also, these 4 rules are what's causing you grief, not NAT:
pass in quick on $int_if1 from $subnet1 to any flags S/SA keep state label "intranet1 bound"
pass in quick on $int_if2 from $subnet2 to any flags S/SA keep state label "intranet2 bound"
pass out quick on $int_if1 from {$subnet1, $subnet2} to $subnet1 flags S/SA keep state label "intranet1 outbound"
pass out quick on $int_if2 from {$subnet1, $subnet2} to $subnet2 flags S/SA keep state label "intranet2 inbound"
Sounds like you want to block that traffic, but here you explicitly allow it (same for the UDP rules below them).
Also, change this:
privnets = "{ 172.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8}"
to this:
privnets = "{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"
All of the 192.168.0.0/24 class Cs are private. 172.0.0.0/8 isn't correct either (it's not a class A, and even if it were, part of it is public).