Hello everyone,

pf newbie here. I've been playing with rules for a day and I can't seem to wrap my head around what I'm suppose to do. First off I believe in "block all" and want an explicit opt in system. Nat
is kind of getting in the way.

pf.conf
-------------
int_if="em0"
ext_if="rl0"
int_net="192.168.2.0/24"

# Nat supposedly wants to be at he top of the list
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Block everything, all rules are eqplicitly opt in
block log all
# Allow all local trafic on local network
pass in on $int_if from $int_if:network to any
pass out on $int_if from $int_if:network to any
# Pass out to internet all local network trafic and keep state to allow connect
pass out on $ext_if from $int_if:network to any keep state
#pass from any to any

This doesn't work because the packet IP address has already tanslated before the filter could get to it on $ext_if. If I change the rule to "from $ext_if" I can't distinguish between packets origionating on the local network verses the gateway/server. And if I do so anyway even if I specify "keep state" the returning packets don't get through from their external IP addresses. Only if I declare explicit pass in rules from specific ip addreses will I get return trafic. Is there anyway to do with without using a blanket "from any to any"? My first line of defence is identifiing the trafic source. Can I possiably change the priority of Nat so that it is
the last action processed?

Of course after I get it working I'll add port spefic rules. I'll appreciate any help offered.


Blue


_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to