PF: Block all, but one subnet firewall rule?

Question

I'm trying to do something that I thought would be relatively simple: Block all the traffic to a test server, other than my company's subnet.

I've tried things along these lines (111.111.0.0 is my placeholder for this example), but only the block seems to work:

block in all
pass in from 111.111.0.0
pass in on en0 from 111.111.0.0
pass in all from 111.111.0.0

None of those pass in lines seem to work (I know some of those might throw a syntax error, as I'm just grabbing all the lines I've commented out while testing).

Is this less simple than I assumed? Am I missing something obvious?

pete · Accepted Answer · 2014-05-09T14:09:32.793

5

its because its specifying a single ip, you need to write it with the subnet:

pass in from 111.111.0.0/16

man pf.conf should list a few methods of defining ranges and blocks. A side note, take care to ensure there are no drop quick kind of rules above your pass, and no rules below that could accidently match and block your packets.

edited May 09 '14 at 14:09

answered May 09 '14 at 14:02

pete

693
1
7
15

PF: Block all, but one subnet firewall rule?

1 Answers1