[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Prohibiting firewall machine from making external connections?

To: misc@openbsd.org
Subject: Prohibiting firewall machine from making external connections?
From: Matt Baker <matt@turophile.net>
Date: Wed, 20 Feb 2002 22:44:37 -0800
Content-Disposition: inline
User-Agent: Mutt/1.3.27i

I have an OpenBSD machine running pf and NAT for my local network.
Everything is working perfectly, but I want to add a rule(s) that will
prohibit the firewall machine from opening connections to the outside
world, except to a handful of specific servers (i.e. cvs).

I can't come up with a valid set of rules to do this, although it
seems like it should be possible. I've searched the list archives and
man pages, but I can't come up with search terms that are specific
enough to return useful results (either I get everything ever written
about "pf" and "block" or I get nothing).

Rules like

      block out on $ext_iface if from $ext_ip to any

won't work because NAT has already remapped packets from the local
network to $ext_ip by the time they reach $ext_iface. So, how can
packets from the firewall machine be distinguished from packets from
other local machines?

Thanks in advance,

Matt

Follow-Ups:
- Re: Prohibiting firewall machine from making external connections?
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: Prohibiting firewall machine from making external connections?
  - From: marco <slash@arbornet.org>

Prev by Date: Re: Verisign pfpro <payflowpro> ports?
Next by Date: Re: Tripwire or AIDE usage
Prev by thread: Re: Tripwire or AIDE usage
Next by thread: Re: Prohibiting firewall machine from making external connections?
Index(es):
- Date
- Thread