yancm%sdf.org@localhost writes:
> On another topic, is this too restrictive on my local interface? :
>
> group "internal" on $int_if {
> block in all
> pass in final from $loacalnet0
> pass out final all to $localnet0
> }
> where:
> $localnet0 = { 192.168.1.0/24 }
> $int_if = "bge0"
> My reasoning is that everything coming into my local lan from the
> server should be going to my local network only and everything going
> into the server from my lan should be only from my local network
> address space... am I thinking about this correctly?
That is going to block multicast and broadcast. Probably you don't
want to do that.
One approach is to pass out with keep state (so the replies come in) and
then to allow inbound traffic to services you want reachable on
the LAN.
If you have a (local where you can type on it to rescue it) NetBSD host,
I'd also suggest building a single-interface config first.
eg
block all apply "log"
pass final on lo0 all
pass in family inet4 proto icmp icmp-type echo all
pass in family inet4 proto igmp all
pass family inet6 proto ipv6-icmp all
pass stateful in proto tcp to any port ssh
pass stateful out all
log is really useful; you can tcpdump on the log file with -e and get
the rule number.
Attachment:
signature.asc
Description: PGP signature