Date: Sun, 6 Feb 2005 17:48:49 +0100 From: Hexren <me@hexren.net> To: vsavichev@wesleyan.edu Cc: freebsd-pf@freebsd.org Subject: Re: block specific IP's: corporate network Message-ID: <10021429243.20050206174849@hexren.net> In-Reply-To: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> References: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103>
next in thread | previous in thread | raw e-mail | index | archive | help
vwe> we have a standart LAN-server-WAN network configuration in vwe> cyber-cafe vwe> --LAN---|-em0-server----dc0-|---WAN vwe> we want to rule outbound client connections, so pf.conf has the following vwe> layout (only filter rules part) vwe> ..... vwe> pass quick on $int_if all vwe> pass quick on lo0 all vwe> # block specific client's ip's vwe> # vwe> block in quick on $ext_if from any to IP vwe> block out quick on $ext_if from IP to any vwe> ..... vwe> # statefule pass out rules on the specific ports vwe> #e.g. vwe> # Allow out non-secure standard www function vwe> pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA vwe> keep state vwe> .... vwe> so we assume given IP should be blocked from the WAN. But to my amusement, vwe> the client's browser gets out, states are created, so nothing is vwe> being blocked. For now, I have no clue how it is happening vwe> Vlad vwe> _______________________________________________ vwe> freebsd-pf@freebsd.org mailing list vwe> http://lists.freebsd.org/mailman/listinfo/freebsd-pf vwe> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------------------- shooting in the dark here, are you doing NAT on outbound connections ? In that instance the filtering part of the ruleset will see the NATed packet on $ext_if and as that packet will have as source the IP from $ext_if the rule blocking IP (IP beeing internal) will not catch it. Maybe you should try to do the filtering on $int_if. Regards Hexren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10021429243.20050206174849>