filtering local traffic on nat gateway
reinhard.haller at interactive-net.de
Thu Sep 27 09:09:02 PDT 2007
David DeSimone schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Reinhard Haller <reinhard.haller at interactive-net.de> wrote:
>> Based on the last rule there is no way to distinguish forwarded from
>> local outgoing traffic.
>> Any suggestions?
> Change this rule like so:
>> nat on $ext_if from !($ext_if) -> ($ext_if)
>> nat pass on $ext_if from !($ext_if) -> ($ext_if)
I used tagging instead:
pass quick proto tcp from $internal_net to $external_net port
$tcp_unrestricted_ports tag PASS
pass out on $ext_if from ($ext_if) to $external_net tagged PASS
> This way, all traffic chosen to be nat'd will also pass the ruleset.
> Or rather, bypass the ruleset.
> I am worried about your rule, though, because it seems that any even
> traffic arriving from the Internet will have a source IP of !($ext_if),
> so it will end up matching ALL traffic.
The nat rule is borrowed from man pf.conf (translation examples). Hope
they know what they do.
> - --
> David DeSimone == Network Admin == fox at verio.net
> "It took me fifteen years to discover that I had no
> talent for writing, but I couldn't give it up because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> -----END PGP SIGNATURE-----
> freebsd-pf at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf