Date: Thu, 14 Feb 2013 20:56:31 +0000 From: Lisa Muir <34.24.34@gmail.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: Releasing all outgoing ports for a particular IP. Message-ID: <CACX=3hMXLcKmBU9J9cuJXKkRCiAOwg5E0y4wgFTdvA-gAQH%2BDQ@mail.gmail.com> In-Reply-To: <20130214200438.GA85777@in-addr.com> References: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com> <20130214200438.GA85777@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 14, 2013 at 8:04 PM, Gary Palmer <gpalmer@freebsd.org> wrote: > Hi Lisa, > > I believe you should look at PF tags. If you tag the traffic coming in with > the > > pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports > > rule, you should then be able to use that in our ext_if rule to ensure > only those packets are let out > > e.g. > > pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports tag MAILSERVER > pass out quick on $ext_if tagged MAILSERVER excellent.... exactly what I was hoping for... and might even solve my UDP dilemma. I have CC_UDP = "{15000:15200}" and then a redirect rule: rdr on $ext_if proto udp from any to $ext_if port $CC_UDP -> $lm_laptop and then a pass rule to let it through: pass quick proto udp from any to any port $CC_UDP My initial instinct was to confine the pass rule from any to $lm_laptop but the packets don't forward, presumably because UDP is connectionless and bar the forward, there is nothing in the UDP packets that specifies an ip based destination. I'm going to try tagging these packets also and see if I can refine the pass rule accordingly. Big thanks for this heads up. Lisa.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACX=3hMXLcKmBU9J9cuJXKkRCiAOwg5E0y4wgFTdvA-gAQH%2BDQ>