Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Sep 2007 11:07:43 +0200
From:      Reinhard Haller <reinhard.haller@interactive-net.de>
To:        freebsd-pf@freebsd.org
Subject:   Re: filtering local traffic on nat gateway
Message-ID:  <46FA215F.7040905@interactive-net.de>
In-Reply-To: <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com>
References:  <46F819D2.5060904@interactive-net.de> <6e6841490709250820i628855cbn54461cc9671d7f9b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Gilberto,

Gilberto Villani Brito schrieb:
> On 24/09/2007, Reinhard Haller <reinhard.haller@interactive-net.de> wrote:
>   
>> Hi,
>>
>> I want to restrict the locally generated outgoing traffic from the nat
>> gateway (cvsup, ddclient i.e. http + https, portupgrade i.e. ftp + http)
>> to the internet.
>>
>> How to distinguish forwarded traffic on tun0 from the local traffic
>> after natting?
>>
>> Thanks
>> Reinhard
>>
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>>
>>     
> Try this:
> block on $ext_if all
> pass in on $int_if from <network> to any
>
>   
your ruleset blocks all outgoing traffic on $ext_if because there is no
pass rule for outgoing traffic.

My own ruleset works only with the last rule (natting is done before
filtering). At the moment of filtering all packets have ($ext_if) as source
address and arbitrary source port numbers.

Based on the last rule there is no way to distinguish forwarded from
local outgoing traffic.

Any suggestions?

Greetings
Reinhard

----------------------
ext_if="tun0"   
int_if="fxp0"   
internal_net="192.168.0.0/16"
external_net="!192.168.0.0/16"
tcp_unrestricted_ports="{ pop3, imap, ldap, ldaps, nntp, auth, cvsup }"

set skip on lo0
nat on $ext_if from !($ext_if) -> ($ext_if)
block log all
pass quick proto tcp from $internal_net to $external_net port 
$tcp_unrestricted_ports

pass out on $ext_if from ($ext_if) to $external_net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46FA215F.7040905>