Hello everyone,
pf newbie here. I've been playing with rules for a day and I can't seem
to wrap my head around
what I'm suppose to do. First off I believe in "block all" and want an
explicit opt in system. Nat
is kind of getting in the way.
pf.conf
-------------
int_if="em0"
ext_if="rl0"
int_net="192.168.2.0/24"
# Nat supposedly wants to be at he top of the list
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Block everything, all rules are eqplicitly opt in
block log all
# Allow all local trafic on local network
pass in on $int_if from $int_if:network to any
pass out on $int_if from $int_if:network to any
# Pass out to internet all local network trafic and keep state to allow
connect
pass out on $ext_if from $int_if:network to any keep state
#pass from any to any
This doesn't work because the packet IP address has already tanslated
before the filter
could get to it on $ext_if. If I change the rule to "from $ext_if" I
can't distinguish between
packets origionating on the local network verses the gateway/server.
And if I do so anyway
even if I specify "keep state" the returning packets don't get through
from their external IP
addresses. Only if I declare explicit pass in rules from specific ip
addreses will I get return
trafic. Is there anyway to do with without using a blanket "from any to
any"? My first line of
defence is identifiing the trafic source. Can I possiably change the
priority of Nat so that it is
the last action processed?
Of course after I get it working I'll add port spefic rules. I'll
appreciate any help offered.
Blue
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"