Re: Prohibiting firewall machine from making external connections?

[Daniel Hartmeier <daniel@benzedrine.cx>]

On Wed, Feb 20, 2002 at 10:44:37PM -0800, Matt Baker wrote:

> Rules like
> 
>       block out on $ext_iface if from $ext_ip to any
> 
> won't work because NAT has already remapped packets from the local
> network to $ext_ip by the time they reach $ext_iface. So, how can
> packets from the firewall machine be distinguished from packets from
> other local machines?

You could NAT the firewall's own addresses to another address for the
purpose of blocking it:

  nat.conf

    nat on $ext_if from $ext_if   to any -> 127.0.0.1
    nat on $ext_if from $int_if   to any -> 127.0.0.1
    nat on $ext_if from $int_if/8 to any -> $ext_if

  pf.conf

    block out on $ext_if all
    pass  out on $ext_if from $ext_if to any keep state

NAT rules can specify ports as well. But this kind of moves the filter
criteria from pf.conf to nat.conf, which makes the workaround a little
odd.

What exactly is running on that firewall that you don't trust to make
outgoing connections? Obviously not one of root's processes (since that
could just disable pf). Untrusted user processes? Why do you want to run
such on the firewall, and not on a machine behind it?

Daniel