From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 16:09:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6509F16A41B for ; Thu, 27 Sep 2007 16:09:02 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id D456913C45B for ; Thu, 27 Sep 2007 16:09:01 +0000 (UTC) (envelope-from reinhard.haller@interactive-net.de) Received: from [217.225.200.4] (helo=interactive.dnsalias.net) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1IavvA0BSR-00087W; Thu, 27 Sep 2007 18:09:00 +0200 Received: from fs-inter.interactive.de ([192.168.0.1]) by interactive.dnsalias.net with smtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1Iavv8-00038i-SK for freebsd-pf@freebsd.org; Thu, 27 Sep 2007 18:08:58 +0200 Received: from [192.168.0.75] (core2duo.interactive.de [192.168.0.75]) by fs-inter.interactive.de; Thu, 27 Sep 2007 18:08:34 +0200 Message-ID: <46FBD584.5010907@interactive-net.de> Date: Thu, 27 Sep 2007 18:08:36 +0200 From: Reinhard Haller User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> <46FA215F.7040905@interactive-net.de> <20070926205421.GE32662@verio.net> In-Reply-To: <20070926205421.GE32662@verio.net> X-ACL-rcpt: freebsd-pf@freebsd.org X-ACL-Send: reinhard.haller@interactive-net.de X-Provags-ID: V01U2FsdGVkX184Y8vVYNFoznp1qaqpNFMMpHKeHkIwH+RSkEf WR5fvNTQAYTjQjncTsVPirRT8dCJzTpzQtZJGCUE3vtvSK1kYW G3xY6MnDXkT4KRQ5/L/fA== Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: filtering local traffic on nat gateway X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 16:09:02 -0000 Hi David, David DeSimone schrieb: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reinhard Haller wrote: > >> Based on the last rule there is no way to distinguish forwarded from >> local outgoing traffic. >> >> Any suggestions? >> > > Change this rule like so: > > >> nat on $ext_if from !($ext_if) -> ($ext_if) >> > > to > > >> nat pass on $ext_if from !($ext_if) -> ($ext_if) >> > > I used tagging instead: pass quick proto tcp from $internal_net to $external_net port $tcp_unrestricted_ports tag PASS pass out on $ext_if from ($ext_if) to $external_net tagged PASS > This way, all traffic chosen to be nat'd will also pass the ruleset. > Or rather, bypass the ruleset. > > I am worried about your rule, though, because it seems that any even > traffic arriving from the Internet will have a source IP of !($ext_if), > so it will end up matching ALL traffic. > The nat rule is borrowed from man pf.conf (translation examples). Hope they know what they do. > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6 > GdZ6ARC0dBlz4Lm6Uo9ZE5s= > =gMmc > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Greetings Reinhard