[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filtering two seperate networks

Hey All,
We are soon to have 2 seperate lines coming into our office each with
a seperate set of IPs and restrictions (One full class C each).  They
will be handled by one router, and we would like to firewall both of
them with just one box running pf.  Our router will be plugging
straight into the external interface on the box (ext_if) and then we
have two other interfaces which will each go to seperate switches to
keep the networks completely separate.  So far I have tried to add all
three interfaces to the bridge but something in the current ruleset
was preventing anything from getting out so I have decided to start
from scratch and was hoping someone could just point me in the right
direction - we'd like traffic between the two networks to just be
bridged through the pf box rather than having to go through our
router.  Of course wed like to place restrictions on what would be
bridged and also each network would have its own distinct rules for
getting out of the network as well.
So basically im looking for something like:
ext_if - interface plugged directly into router
int1_if - interface to network1
int2_if - interface to network2
network 1 has full access to network2, but network2 has no access to network1
network1 has full outgoing access to the internet, network2 is allowed
only port 80 out.
all external traffic origionating from outside is blocked to both.
If i could get that working im sure I could get the rest of the rules
working.  The external interface has no ip for security, and each of
the internal interfaces is assigned address .2 on the associated ip
range.  The bridge files looks like this "add em0 add em1 add fxp0 up"
 is that correct?
Lyle Worthington