Date: Wed, 26 Sep 2007 15:54:22 -0500 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: filtering local traffic on nat gateway Message-ID: <20070926205421.GE32662@verio.net> In-Reply-To: <46FA215F.7040905@interactive-net.de> References: <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com> <46FA215F.7040905@interactive-net.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reinhard Haller <reinhard.haller@interactive-net.de> wrote: > > Based on the last rule there is no way to distinguish forwarded from > local outgoing traffic. > > Any suggestions? Change this rule like so: > nat on $ext_if from !($ext_if) -> ($ext_if) to > nat pass on $ext_if from !($ext_if) -> ($ext_if) This way, all traffic chosen to be nat'd will also pass the ruleset. Or rather, bypass the ruleset. I am worried about your rule, though, because it seems that any even traffic arriving from the Internet will have a source IP of !($ext_if), so it will end up matching ALL traffic. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6 GdZ6ARC0dBlz4Lm6Uo9ZE5s= =gMmc -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070926205421.GE32662>