Should say too . . . don't forget to either skip on lo0 or pass on lo0 > On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellent...@dataix.net> wrote: > > Curious if your line breaks are correct ? Your block and pass rule appear to > be on the same line. > > This should do it . . . > > block in all > block return in quick from !$internal_ip to $external_ip > pass out all keep state > > > But if you already have a block all rul there is no need for the second as > your already blocking all traffic so I might suggest this not mowing your > topology. > > I also would not suggest "return" for non internal traffic except for > specific targeted services that it might affect. > . . . > :BEGIN > > spoof on lo0 > spoof on $ext_if > > block all > pass out quick from $me > pass in quick from $int to $me > > :END > > And that should accomplish what you are trying to do IIUC. > > You can use pftop to verify packets on hit rules. > >> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vas...@gmail.com> wrote: >> >> Hi all, >> >> I have a 9.1-STABLE r251615 acting as a firewall. >> >> The rules: >> block in all pass out all keep state [...] block return from !$internal_ip >> to $external_ip >> >> >> >> What I want is to block all the network except $internal to from accessing >> $external_ip. For some reason, the above rule simply does not work. >> However, the below does work and block everyone except $internal_ip: >> >> block return from $internal_net/24 to $external_ip pass from $internal_ip >> to $external_ip >> >> >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it >> should work like in the first example. >> >> PS: Yes, I can see the rule with pfctl -sr and it does translate properly. >> >> -- >> Best regards, >> Claudiu Vasadi >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
smime.p7s
Description: S/MIME cryptographic signature
