Sergey Prisyazhniy <[EMAIL PROTECTED]> writes:
> Yes, Luca :). The think is, that I want, for example, to setup remote
> machines
> via siteXYtools (also load to pf.conf).
> And as you can get, I don't know anything about the remote NIC's, so in
> this case
> I wana make fully automatical process... :)
as I said earlier, if your requirements can be satisfied by a rule set
where you do not specify which specific interface the filtering
happens, you're OK.
For example, your definition of 'the local net' does not need to be
$int_if:network, it could equally well be 'localnet = 194.54.103.64/26'
or somesuch, with rules like
localnet = 194.54.103.64/26
client_out = "{ ssh, domain, pop3, auth, nntp, http, https }"
block all
pass inet proto tcp from $localnet to any port $client_out \
flags S/SA keep state
pass inet proto tcp from any to $localnet port ssh flags S/SA keep state
I have a semi-rant about these things in the tutorial[1], which I
probably will be accused of plugging quite shamelessly at this point.
[1] http://home.nuug.no/~peter/pf/, specifically about these matters at
http://home.nuug.no/~peter/pf/en/basicgw.html#GWPITFALLS and
http://home.nuug.no/~peter/pf/en/whatsyourlocalnet.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
