On Mon, 19 Feb 2007, martin g wrote:
> Hey all
>
> I have a question about blocking private addr. with pf.
>
> I have defined the reserved addresses acording to RFC 1918 in a table
> <priv_ip>
>
> My default rule is :
>
> block in on $ext_if
> block out on $ext_if
>
> pass in on $int_if
> pass out on $int_if
>
> 1. With this 2 rules defined is it still recomended to block private addr.
Yes. RFC1918 source/destination packets should be kept from the
public internet. Any coming to you are bogus. Any leaving your
router are bogus; they should both be dropped. Such packets are
"non-routable".
> If it is then:
>
> Computers on my network have IP's from block 192.168.0.0/16 let's say
> 192.168.1.100 to 192.168.1.105
> I make another table called <lan>
>
> What is the correct rule? Do i negate table lan in a rule
>
> block in on $ext_if from any to { <priv_ip>, !<lan> }
> block out on $ext_if from { <priv_ip>, !<lan> } to any
>
> or do i negate ip's in a table like so
>
> table <lan> { !192.168.1.100 , ...}
>
> tnx for reply
Neither. You want to block them all at the ext_if. You want to use
nat to map your LAN addresses to something routable. If you forward
packets from an RFC1918 address, those packets will soon be dropped,
probably by the next host to forward them.
Dave
