filtering local traffic on nat gateway
Reinhard Haller
reinhard.haller at interactive-net.de
Thu Sep 27 09:09:02 PDT 2007
Hi David,
David DeSimone schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Reinhard Haller <reinhard.haller at interactive-net.de> wrote:
>
>> Based on the last rule there is no way to distinguish forwarded from
>> local outgoing traffic.
>>
>> Any suggestions?
>>
>
> Change this rule like so:
>
>
>> nat on $ext_if from !($ext_if) -> ($ext_if)
>>
>
> to
>
>
>> nat pass on $ext_if from !($ext_if) -> ($ext_if)
>>
>
>
I used tagging instead:
pass quick proto tcp from $internal_net to $external_net port
$tcp_unrestricted_ports tag PASS
pass out on $ext_if from ($ext_if) to $external_net tagged PASS
> This way, all traffic chosen to be nat'd will also pass the ruleset.
> Or rather, bypass the ruleset.
>
> I am worried about your rule, though, because it seems that any even
> traffic arriving from the Internet will have a source IP of !($ext_if),
> so it will end up matching ALL traffic.
>
The nat rule is borrowed from man pf.conf (translation examples). Hope
they know what they do.
> - --
> David DeSimone == Network Admin == fox at verio.net
> "It took me fifteen years to discover that I had no
> talent for writing, but I couldn't give it up because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFG+sb9FSrKRjX5eCoRAq6sAJ0bd5YUF1CxNl9og78X9PaKg61gXwCfSDn6
> GdZ6ARC0dBlz4Lm6Uo9ZE5s=
> =gMmc
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
Greetings
Reinhard
More information about the freebsd-pf
mailing list