On 18/12/13 13:53, Maxim Khitrov wrote:
When writing outbound rules in pf, is there an accepted best practice
for only matching packets that are either forwarded or
firewall-generated?
The best that I could come up with is 'received-on all' as a way of
identifying forwarded packets, but that option can't be negated to
match packets that were not received on any inbound interface (i.e.
those generated by the firewall itself).
Another option is 'from (self)', but then you have to be careful with
any preceding nat rules. Ideally, I want a solution that doesn't
depend on the context. I also tried to use tags in combination with
'received-on', but it became rather messy and created conflicts with
other tag usage.
What is everyone else using to solve this problem?
Check the "user" option in pf.conf(5):
user <user>
This rule only applies to packets of sockets owned by the
specified user. For outgoing connections initiated from the
firewall, this is the user that opened the connection. For
incoming connections to the firewall itself, this is the user
that listens on the destination port. For forwarded
connections,
where the firewall is not a connection endpoint, the user and
group are unknown.
