[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Prohibiting firewall machine from making external connections?
On Wed, Feb 20, 2002 at 10:44:37PM -0800, Matt Baker wrote:
> Rules like
> block out on $ext_iface if from $ext_ip to any
> won't work because NAT has already remapped packets from the local
> network to $ext_ip by the time they reach $ext_iface. So, how can
> packets from the firewall machine be distinguished from packets from
> other local machines?
You could NAT the firewall's own addresses to another address for the
purpose of blocking it:
nat on $ext_if from $ext_if to any -> 127.0.0.1
nat on $ext_if from $int_if to any -> 127.0.0.1
nat on $ext_if from $int_if/8 to any -> $ext_if
block out on $ext_if all
pass out on $ext_if from $ext_if to any keep state
NAT rules can specify ports as well. But this kind of moves the filter
criteria from pf.conf to nat.conf, which makes the workaround a little
What exactly is running on that firewall that you don't trust to make
outgoing connections? Obviously not one of root's processes (since that
could just disable pf). Untrusted user processes? Why do you want to run
such on the firewall, and not on a machine behind it?