Help with <other_clients> issue

[Travis H.]

On Fri, Dec 08, 2006 at 08:39:29AM -0600, Isaac Grover wrote:
> ext_if="xl2"
> ext_net=$ext_if:network
> wireless_if="xl1"
> wireless_if_addr="192.168.100.1"
> wireless_net=$wireless_if:network
> my_laptop="192.168.100.X"

Is that censored or really an X?

> table <other_clients> { $wireless_net, !$my_laptop }

No point in excluding your laptop because all your rules are permits.

> nat on $ext_if from <other_clients> to any port $tcp_services -> ($ext_if)
> nat on $ext_if from $my_laptop to any -> ($ext_if)
> 
> rdr on $wireless_if inet proto tcp from $wireless_net to any port 80
> -> $wireless_if_addr port 3080

Try putting the "pass" keyword on these, it fixes things if you forget the
nat/rdr occurs before the filter rules.
 
> pass out on $ext_if inet proto tcp from $wireless_net to any port 3080
> keep state
> pass out on $ext_if inet proto tcp from <other_clients> to any port
> $tcp_services keep state
> pass out on $ext_if inet proto tcp from $my_laptop to any keep state
> pass out on $ext_if inet proto udp from $wireless_net to any port
> $udp_services keep state
> pass inet proto icmp from any to any

Feed your rules into pf and see what pfctl -s all says they expand to.
Redirect it to a file or use "screen" then "screen -r".
-- 
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.subspacefield.org/~travis/> -><-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061213/3ff8b126/attachment.pgp