On Tuesday, 2003-02-25 at 14:56:49 -0600, morgan henning wrote: > You know, you're right. I was thinking on the way into an interface, not > on the way out. But, why not try this:
> # hme0 - internet > # hme1 - internal > # to allow traffic destined for the firewall > pass in quick on hme1 from 10.0.0.0/8 to 10.0.0.1/32 > # block traffic that's trying to leave > block in on hme1 from any to 10.0.0.0/8 > block in on hme1 from any to 192.168.0.0/16 > Whouldn't that work for you ? No, I need to pass traffic to any address. I do not want to pass any traffic to the firewall. Only SSH to the firewall is allowed. BTW, I'm talking about *from* 10.0.0.0/8 et al. > Also, if you're NAT-ing everything, why would anything ever leave your > network with a non-routable IP ? It leaves the *firewall*. The network the firewall is connected to does not belong to my client. I don't like RFC source addresses getting to that network. The real reason for the behavior I described is that my rule was incomplete. Matej 'Kockac' Kubik pointed this out in a private mail. What I need is this ruleset: map fxp0 from 192.168.0.0/18 to 0.0.0.0/0 -> 1.2.3.4/32 portmap tcp/udp auto map fxp0 from 192.168.0.0/18 to 0.0.0.0/0 -> 1.2.3.4/32 The first rule permits "port relocation". I.e. the first internal NTP server to send packets retains the source port number, the source port for the second internal NTP server gets relocated. So no RFC1918 addresses should be visible outside anymore. I'm still concerned that the map rule lets some packets pass unmapped. This is unexpexted and undesirable. I'd rather have them dropped and logged. AFAIK this is not possible. It might even happen with the portmap rule, if the port space fills up. I imagine ipfilter uses (source address, source port, destination address, destination port) to identify NAT table entries. Source address will always be the same, but if we have a pathological case where many connections are made to the same (destination address, destination port), this situation could occur. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." |
