block specific IP's: corporate network
vsavichev at wesleyan.edu
vsavichev at wesleyan.edu
Sun Feb 6 07:25:16 PST 2005
we have a standart LAN-server-WAN network configuration in
cyber-cafe
--LAN---|-em0-server----dc0-|---WAN
we want to rule outbound client connections, so pf.conf has the following
layout (only filter rules part)
.....
pass quick on $int_if all
pass quick on lo0 all
# block specific client's ip's
#
block in quick on $ext_if from any to IP
block out quick on $ext_if from IP to any
.....
# statefule pass out rules on the specific ports
#e.g.
# Allow out non-secure standard www function
pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA
keep state
....
so we assume given IP should be blocked from the WAN. But to my amusement,
the client's browser gets out, states are created, so nothing is
being blocked. For now, I have no clue how it is happening
Vlad
More information about the freebsd-pf
mailing list