Date: Tue, 12 Dec 2006 21:38:59 -0600 From: "Travis H." <travis@subspacefield.org> To: freebsd-pf@freebsd.org Subject: Re: Help with <other_clients> issue Message-ID: <20061213033859.GA5482@subspacefield.org> In-Reply-To: <bf7af5e50612080639p76f4a530x20d70677cac434fd@mail.gmail.com> References: <bf7af5e50612080639p76f4a530x20d70677cac434fd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Fri, Dec 08, 2006 at 08:39:29AM -0600, Isaac Grover wrote:
> ext_if="xl2"
> ext_net=$ext_if:network
> wireless_if="xl1"
> wireless_if_addr="192.168.100.1"
> wireless_net=$wireless_if:network
> my_laptop="192.168.100.X"
Is that censored or really an X?
> table <other_clients> { $wireless_net, !$my_laptop }
No point in excluding your laptop because all your rules are permits.
> nat on $ext_if from <other_clients> to any port $tcp_services -> ($ext_if)
> nat on $ext_if from $my_laptop to any -> ($ext_if)
>
> rdr on $wireless_if inet proto tcp from $wireless_net to any port 80
> -> $wireless_if_addr port 3080
Try putting the "pass" keyword on these, it fixes things if you forget the
nat/rdr occurs before the filter rules.
> pass out on $ext_if inet proto tcp from $wireless_net to any port 3080
> keep state
> pass out on $ext_if inet proto tcp from <other_clients> to any port
> $tcp_services keep state
> pass out on $ext_if inet proto tcp from $my_laptop to any keep state
> pass out on $ext_if inet proto udp from $wireless_net to any port
> $udp_services keep state
> pass inet proto icmp from any to any
Feed your rules into pf and see what pfctl -s all says they expand to.
Redirect it to a file or use "screen" then "screen -r".
--
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.subspacefield.org/~travis/>; -><-
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRX9102QVZZEDJt9HAQLN/A//SbB1bwhajwchBMDNfKkGdlaGwjG57/49
vLgPY0Y1DRnv+ZZdyK2SLhC7SVaUj5BW9gndPg2a1ehStOaUb3ywBjjv2EPGGj+V
cnpX7lEVBZwN/7jtJaWz4Q+yk3dRY+bGnJmrUTPARWyfTpC/a/wwekpa5fjcpgeD
7OV1xSmzVbq4sRps+tJ7DopwzTFgPzSuMScnF0ezx8dMXTBrT1Qn0zKTW0Sg2AkG
+GGmnBRJxldwRABoNkWikda3as7qK2C47Rz6F7pkVq18TqdaMxz6jMbI7OvHrIcq
cuqTnP2CFEnwks3zvQib5mr8zbfDrNAd8QWcgl4slAea4yYL9yZlQTXKGrgOxIYC
mLXftLVNoWwSlD4nEspcneU0fI4Ae0MB8Dr3iaBinTN6XQs1vJ9z0KJpksb9sOoS
2yCvDztEqdCADLN6ko0Dbn9u5KbrmV0oj+qpgRVg3W2tF3LG/kyo2fa9FmD6962W
JmcN2imOHQhMRvBaHa92K4Nrc+Bqhb1IxwqeTvRxUTE/dagRVYXE13U6WqaMDKc/
v9HXP5FNIIGXcNcGpO/2BLKuQfEkPA1gQA456EbgK+iSaTCdI58RgjRoTVfN+ZLe
YJzXZm79NFM40qA8yWNI3bbWt+T/OEoJkVQtA4/4rsqHtoS0F+dVfCVwYrYIpgR/
d1hxwlf+hXI=
=CcSL
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061213033859.GA5482>