# (pf) Block a client from WAN but allow LAN



## dextro_ (Sep 7, 2010)

I have a FreeBSD 7.2-RELEASE-p4 machine with PF running as a gateway for my LAN. I am trying to block a client from accessing the Internet but can't find anything in the PF docs or on Google.

/etc/pf.conf
	
	



```
# macros
wan1="ste0"
#wan2="ste1"
lan1="vr0"
lan1r="10.0.0.0/24"

pc1="10.0.0.2"
x360="10.0.0.3"
ps3="10.0.0.4"

# options
#set block-policy return
#set loginterface $wan1
set skip on lo

# scrub
#scrub in

# nat/rdr
nat on $wan1 from $lan1r to any -> ($wan1:0) static-port

# Remote Desktop
rdr on $wan1 proto tcp from any to any port 3389 -> $pc1

# Hamachi
rdr on $wan1 proto {tcp, udp} from any to any port 39004 -> $pc1

# Starcraft II
rdr on $wan1 proto {tcp, udp} from any to any port 1119 -> $pc1

# Xbox Live
rdr on $wan1 proto {tcp, udp} from any to any port 3074 -> $x360

# I have tried all these to block the PS3 from Internet access without success.
#block out on $wan1 from $ps3 to any
#pass in quick on $lan1 from $ps3 to $lan1r
#block out on $wan1 from $ps3
```

I don't want to risk my PS3 auto updating and disabling OtherOS in case anyone was wondering why I would want to block Internet access to my PS3.


----------



## SirDice (Sep 7, 2010)

Keep in mind that NAT happens before any filtering rules. So you have to block it coming in.


```
block in on $lan1 from $ps3 to any
```

Also, don't allow RDP from the internet to your PC. Unless you like getting hacked.


----------



## dextro_ (Sep 7, 2010)

Haven't been hacked yet but thanks for the correct rule works great!


----------

