I have one FreeBSD machine that I use as a playbox/server/torrentbox. It’s part of my LAN. Here is the semantics (altered from an example on the OpenBSD website):
[ desktop ] [ laptop ]
| |
---+------+-----+------- [switch] -------- ( DSL modem )
|
[ FreeBSD playbox ]
I have set static IPs in all devices in the 10.0.0.0/24 range. So my DSL modem is 10.0.0.1, my desktop is 10.0.0.2, and the FreeBSD box is 10.0.0.3. There is also DHCP enabled, so every machine that doesn’t have a static IP (a friend brings a laptop) gets assigned one by the DSL modem, in the range 10.0.0.30 – 10.0.0.60.
I have only one Ethernet card (em0) and I want to open a port on WAN but not on LAN. Doing this:
block in all
pass out all keep state
pass in proto tcp from any to any port 22
Will open the port on LAN too.
In all the examples I’ve seen that separated WAN and LAN, it was with two NICs and FreeBSD played the role of an intermediate (a firewall).
So, how do I open a port only on WAN?
This question has a follow up. There will be some ports that I want open in both, LAN and WAN, but I want to impose some limits on WAN. Here is an example I found online:
# Setup a table and ruleset that prevents excessive abuse by hosts
# that attempt to brute force the ssh daemon with repeated requests.
# any host that hammers more than 3 connections in 5 seconds gets
# all their packet states killed and dropped into a blackhole table.
table <wan_abuse> persist
block in quick from <wan_abuse>
pass in on $eth proto tcp to any port $wan_servers_tcp flags S/SA keep
state (max-src-conn 10, max-src-conn-rate 3/5, overload <wan_abuse> flush)
