On 4/11/06, Chris Telting <[EMAIL PROTECTED]> wrote: > pf newbie here. I've been playing with rules for a day and I can't seem > to wrap my head around > what I'm suppose to do. First off I believe in "block all" and want an > explicit opt in system. Nat > is kind of getting in the way.
Have you read through the well commented example in the PF users guide at http://www.openbsd.org/faq/pf/example1.html ? > > pf.conf > ------------- > int_if="em0" > ext_if="rl0" > int_net="192.168.2.0/24" > > # Nat supposedly wants to be at he top of the list > nat on $ext_if from $int_if:network to any -> ($ext_if) > > # Block everything, all rules are eqplicitly opt in > block log all > # Allow all local trafic on local network > pass in on $int_if from $int_if:network to any > pass out on $int_if from $int_if:network to any > # Pass out to internet all local network trafic and keep state to allow > connect > pass out on $ext_if from $int_if:network to any keep state > #pass from any to any > > This doesn't work because the packet IP address has already tanslated > before the filter > could get to it on $ext_if. If I change the rule to "from $ext_if" I > can't distinguish between > packets origionating on the local network verses the gateway/server. You *could* do that by tagging in the NAT rule if you needed to. Personally, I haven't run into any situation where I needed to do that. > And if I do so anyway > even if I specify "keep state" the returning packets don't get through > from their external IP > addresses. You haven't allowed traffic out of the internal interface (pass out on $int_of from any to $int_if:network). > Only if I declare explicit pass in rules from specific ip > addreses will I get return > trafic. Is there anyway to do with without using a blanket "from any to > any"? My first line of > defence is identifiing the trafic source. Can I possiably change the > priority of Nat so that it is > the last action processed? No, in PF the translation rules are always processed first. > Of course after I get it working I'll add port spefic rules. I'll > appreciate any help offered. The man page for pf.conf can be a pretty intimidating read, I've got a couple network guys that have been going over it for a couple months and are still figuring out the more intricate options. The sample pf.conf is fairly decent, but the OpenBSD PF user's guide at http://www.openbsd.org/faq/pf/index.html is a good read and will go a long way towards understanding how it works. -- Jon Simola Systems Administrator ABC Communications _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
