# Help creating pf rules (inbound and outbound traffic)



## crazychip (Feb 6, 2012)

Hi.

I have in the past set up my firewalls to filter traffic only one way (allowing everything out, but only certain stuff in) like this:

```
block in...
pass out quick
#add rules for ssh, www and other stuff here
```

Now *I* have a scenario where *I* must filter both in and out.






The Office network is considered safer than project networks due to its strict inforcement of antivirus and patching and must be protected from the unsafe project networks. But hosts on the project network must be available to the hosts on the Office network on stuff like SSH and RDP.

So if this is the start of my config file (see below), what must the pass rules look like to allow hosts in the office network to talk to hosts in the project networks on SSH, RDP, etc.?


```
block in on $ext_if
block out on $ext if

# what do [B]I[/B] need to put her?
```


----------



## SirDice (Feb 6, 2012)

PF will use stateful rules by default. So you wouldn't have to do much more than usual.


```
projects_int="em1"
office_int="em0"

project_net="{192.168.1.0/24,192.168.2.0/24}"
allowed_ports="{22, 3389}

skip on lo0

block all

# Only allow certain traffic from office to project
pass in on $office_int proto tcp from any to $project_net port $allowed_ports keep state

# Allow everything from projects to office
pass in on $project_int from any to any keep state
```


----------



## crazychip (Feb 7, 2012)

That nicely aswered my question. A quick followup. I have split the network up in several vlans and also my IP range:
10.47.205.0/16
10.47.205.16/16
etc.

*C*an *I* define these networks in the firewall as 10.47.205.0/24 for the rule

```
# Only allow certain traffic from office to project
pass in on $office_int proto tcp from any to $project_net port $allowed_ports keep state
```


----------



## SirDice (Feb 7, 2012)

crazychip said:
			
		

> Can I define these networks in the firewall as 10.47.205.0/24 for the rule


Not sure. As a destination this should be fine. Not sure as a source though, that depends on how the VLANs are configured on the FreeBSD machine.


----------

