Technical data
3. Base configuration
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='2'
PF_FORWARD_1='tmpl:samba DROP'
PF_FORWARD_2='IP_NET_1 ACCEPT'
Note the dependance on the order of rules: At first the NetBIOS-packets are dropped and
afterwards the packets of the local net are accepted.
The local net may communicate with the router, its packets get forwarded, only the masking
which is necessary for the internet access of a local network is still missing:
PF_POSTROUTING_N='1'
PF_POSTROUTING_1='IP_NET_1 MASQUERADE'
Trusted Nets
If we do want to have several local subnets which should communicate with each other free and
unmasked we have to ensure that packets between those nets don’t get dropped or masked. In
order to achieve this we add a rule or edit the existing one.
Let’s assume we have a DSL connection over PPPoE and the two subnets are IP_NET_1
(192.168.6.0/24) and IP_NET_2 (192.168.7.0/24). In this case the configuration would be as
follows:
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='4'
PF_FORWARD_1='IP_NET_1 IP_NET_2 ACCEPT BIDIRECTIONAL'
PF_FORWARD_2='tmpl:samba DROP'
PF_FORWARD_3='IP_NET_1 ACCEPT'
PF_FORWARD_4='IP_NET_2 ACCEPT'
PF_POSTROUTING_N='3'
PF_POSTROUTING_1='IP_NET_1 IP_NET_2 ACCEPT BIDIRECTIONAL'
PF_POSTROUTING_2='IP_NET_1 MASQUERADE'
PF_POSTROUTING_3='IP_NET_2 MASQUERADE'
The first rule ensures forwarding of packets between both subnets without further processing.
The third and fourth rule ensure that both subnets also have Internet access. The first rule of
the POSTROUTING-chain provides unmasked communication between both subnets.
In other words we could say that only packets transferred over the pppoe-interface have to
be masked:
PF_POSTROUTING_N='1'
PF_POSTROUTING_1='if:any:pppoe MASQUERADE'
We could as well have restricted the port filtering to the pppoe-interface and combined both
subnets to one, as seen here:
59