block specific IP's: corporate network
Hexren
me at hexren.net
Sun Feb 6 08:48:54 PST 2005
vwe> we have a standart LAN-server-WAN network configuration in
vwe> cyber-cafe
vwe> --LAN---|-em0-server----dc0-|---WAN
vwe> we want to rule outbound client connections, so pf.conf has the following
vwe> layout (only filter rules part)
vwe> .....
vwe> pass quick on $int_if all
vwe> pass quick on lo0 all
vwe> # block specific client's ip's
vwe> #
vwe> block in quick on $ext_if from any to IP
vwe> block out quick on $ext_if from IP to any
vwe> .....
vwe> # statefule pass out rules on the specific ports
vwe> #e.g.
vwe> # Allow out non-secure standard www function
vwe> pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA
vwe> keep state
vwe> ....
vwe> so we assume given IP should be blocked from the WAN. But to my amusement,
vwe> the client's browser gets out, states are created, so nothing is
vwe> being blocked. For now, I have no clue how it is happening
vwe> Vlad
vwe> _______________________________________________
vwe> freebsd-pf at freebsd.org mailing list
vwe> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
vwe> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
---------------------------------------------
shooting in the dark here, are you doing NAT on outbound connections ?
In that instance the filtering part of the ruleset will see the NATed
packet on $ext_if and as that packet will have as source the IP from
$ext_if the rule blocking IP (IP beeing internal) will not catch it.
Maybe you should try to do the filtering on $int_if.
Regards
Hexren
More information about the freebsd-pf
mailing list