filtering local traffic on nat gateway
David DeSimone
fox at verio.net
Wed Sep 26 15:49:28 PDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Reinhard Haller <reinhard.haller at interactive-net.de> wrote:
>
> Based on the last rule there is no way to distinguish forwarded from
> local outgoing traffic.
>
> Any suggestions?
Change this rule like so:
> nat on $ext_if from !($ext_if) -> ($ext_if)
to
> nat pass on $ext_if from !($ext_if) -> ($ext_if)
This way, all traffic chosen to be nat'd will also pass the ruleset.
Or rather, bypass the ruleset.
I am worried about your rule, though, because it seems that any even
traffic arriving from the Internet will have a source IP of !($ext_if),
so it will end up matching ALL traffic.
- --
David DeSimone == Network Admin == fox at verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6
GdZ6ARC0dBlz4Lm6Uo9ZE5s=
=gMmc
-----END PGP SIGNATURE-----
More information about the freebsd-pf
mailing list