Date: Thu, 27 Sep 2007 18:08:36 +0200 From: Reinhard Haller <reinhard.haller@interactive-net.de> To: freebsd-pf@freebsd.org Subject: Re: filtering local traffic on nat gateway Message-ID: <46FBD584.5010907@interactive-net.de> In-Reply-To: <20070926205421.GE32662@verio.net> References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> <46FA215F.7040905@interactive-net.de> <20070926205421.GE32662@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi David, David DeSimone schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reinhard Haller <reinhard.haller@interactive-net.de> wrote: > >> Based on the last rule there is no way to distinguish forwarded from >> local outgoing traffic. >> >> Any suggestions? >> > > Change this rule like so: > > >> nat on $ext_if from !($ext_if) -> ($ext_if) >> > > to > > >> nat pass on $ext_if from !($ext_if) -> ($ext_if) >> > > I used tagging instead: pass quick proto tcp from $internal_net to $external_net port $tcp_unrestricted_ports tag PASS pass out on $ext_if from ($ext_if) to $external_net tagged PASS > This way, all traffic chosen to be nat'd will also pass the ruleset. > Or rather, bypass the ruleset. > > I am worried about your rule, though, because it seems that any even > traffic arriving from the Internet will have a source IP of !($ext_if), > so it will end up matching ALL traffic. > The nat rule is borrowed from man pf.conf (translation examples). Hope they know what they do. > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6 > GdZ6ARC0dBlz4Lm6Uo9ZE5s= > =gMmc > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Greetings Reinhard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46FBD584.5010907>