I have been running a pf based filtering router on OpenBSD 4.3 for about a year now. My current task is to set up a new network segment for hosting our external sites.
My aim is that machines set up in this network segment should not have any more access to the rest of our network than a machine on the internet.
On the whole, this is quite close. We have the DNS server returning its external view to this network segment. The pf is not routing traffic from this segment to any segment other than the internet interface. However i cannot seem to prevent it from routing packets to the router, if they are also allowed to go to the internet.
e.g.
block in ... # tag dmz traffic as only allowed to internet pass in on $dmz_if inet all tag INTERNET_ONLY ... # Ensure only traffic allowed to Internet is passed block out on $internet_if block out on $internet_if tagged INTERNET_ONLY tag ROUTE_INTERNET pass out on $internet_if tagged ROUTE_INTERNET
I would like to be able to add
block out on $local_if from $(dmz_if:network)
to block any packets form going the router, but it appears that packets for the local host do not go out on lo0. How can i block them?
Have I misunderstood how this all works? is there an option that i have missed to allow this?
any suggestions?
