On Mon, Aug 08, 2005 at 06:18:28PM +0400, Sergey Lapin wrote: > It does not help. Actually, it looks like pf does not have control > over outgoing packets produced by pf itself. I can not neither block > nor reroute these packets. I checked this very easily - I created a > rule > > block out log quick from SOME_OUTSIDE_HOST/32 to any > block out log quick from any to SOME_OUTSIDE_HOST/32 > > and made it very first rules of the firewall. Needless to say, when I > tried to telnet to router port 9999 from SOME_OUTSIDE_HOST, tcpdump on > the pflog0 device got incoming SYN but did not show RST. From the > other hand, tcpdump on the default gateway interface shown outgoing > RST. Again, from this I conclude that pf-generated packets (RST/ICMP) > are not subject for ruleset processing.
No, they are not. You can try a 6.0 RC containing a newer version of pf which sends TCP RSTs (generated by 'return-rst') back out through the interface the blocked packet came in through. Alterantively, use multiple filtering devices, one in front of each uplink. Daniel _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
