[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf, nat, and routing
On Fri, Feb 15, 2002 at 09:18:30PM +0100, Henning Brauer wrote:
> On Fri, Feb 15, 2002 at 01:08:18PM -0700, Ben Goren wrote:
> > When the pf.conf file instead reads
> > pass in quick on xl1 proto tcp from any to any \
> > port 80 flags S/SA keep state
> > block out all
> > block in all
> > block return-rst out proto tcp all
> > block return-rst in proto tcp all
> > block return-icmp out proto udp all
> > block return-icmp in proto udp all
> > then `lynx http://192.0.2.7/` (a known-working http server)
> > will time out. Attempts to connect on any other port
> > immediately fail with the connection refused.
> That's because the packets are blocked on xl0. A state entry is
> always bound to an interface with pf, and you even specifically
> bound the whole rule to xl1, while not binding the block rules
> to any interface.
Yes; that's a clear and concise way to describe what had been
But! What then is the proper way to permit connections arriving on
one interface to leave on another, and to forbid everything else?
I need to match the packet on xl1 (refer to previous note, id
20020215130818.Z16473@trumpetpower.com) because I need to match
against the right IP address--on xl0, it's already been changed
via NAT to the IP address of xl0. Also, matching on xl1 ensures
that the packets have to come from the internal network and makes
spoofs that much harder.
Is my solution (two rules, one in on xl1 and one out on xl0) the
right one? Is there a better way? (And what about my idea of a new
[demime 0.98d removed an attachment of type application/pgp-signature]