>> And that should accomplish what you are trying to do IIUC. I already accomplished what I wanted. I'm simply trying to understand why I had to go about it this way.
lo0 already has a skip on it. On Fri, Nov 8, 2013 at 3:08 PM, Jason Hellenthal <jhellent...@dataix.net>wrote: > Should say too . . . don't forget to either skip on lo0 or pass on lo0 > > > On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellent...@dataix.net> > wrote: > > > > Curious if your line breaks are correct ? Your block and pass rule > appear to be on the same line. > > > > This should do it . . . > > > > block in all > > block return in quick from !$internal_ip to $external_ip > > pass out all keep state > > > > > > But if you already have a block all rul there is no need for the second > as your already blocking all traffic so I might suggest this not mowing > your topology. > > > > I also would not suggest "return" for non internal traffic except for > specific targeted services that it might affect. > > . . . > > :BEGIN > > > > spoof on lo0 > > spoof on $ext_if > > > > block all > > pass out quick from $me > > pass in quick from $int to $me > > > > :END > > > > And that should accomplish what you are trying to do IIUC. > > > > You can use pftop to verify packets on hit rules. > > > >> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vas...@gmail.com> > wrote: > >> > >> Hi all, > >> > >> I have a 9.1-STABLE r251615 acting as a firewall. > >> > >> The rules: > >> block in all pass out all keep state [...] block return from > !$internal_ip > >> to $external_ip > >> > >> > >> > >> What I want is to block all the network except $internal to from > accessing > >> $external_ip. For some reason, the above rule simply does not work. > >> However, the below does work and block everyone except $internal_ip: > >> > >> block return from $internal_net/24 to $external_ip pass from > $internal_ip > >> to $external_ip > >> > >> > >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it > >> should work like in the first example. > >> > >> PS: Yes, I can see the rule with pfctl -sr and it does translate > properly. > >> > >> -- > >> Best regards, > >> Claudiu Vasadi > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > -- Best regards, Claudiu Vasadi _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
