[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Prohibiting firewall machine from making external connections?
- To: firstname.lastname@example.org
- Subject: Prohibiting firewall machine from making external connections?
- From: Matt Baker <email@example.com>
- Date: Wed, 20 Feb 2002 22:44:37 -0800
- Content-Disposition: inline
- User-Agent: Mutt/1.3.27i
I have an OpenBSD machine running pf and NAT for my local network.
Everything is working perfectly, but I want to add a rule(s) that will
prohibit the firewall machine from opening connections to the outside
world, except to a handful of specific servers (i.e. cvs).
I can't come up with a valid set of rules to do this, although it
seems like it should be possible. I've searched the list archives and
man pages, but I can't come up with search terms that are specific
enough to return useful results (either I get everything ever written
about "pf" and "block" or I get nothing).
block out on $ext_iface if from $ext_ip to any
won't work because NAT has already remapped packets from the local
network to $ext_ip by the time they reach $ext_iface. So, how can
packets from the firewall machine be distinguished from packets from
other local machines?
Thanks in advance,