Leonardo Carneiro - Veltrac wrote:
> Leonardo Carneiro - Veltrac wrote:
>
>> Hi Shane, Heya and others. I tried a new setup, using tables (look more
>> eficient than using a thousan rules to each variable). But is still
>> failing :(
>>
>> # tables
>> table <msn-rdr> persist const file "/etc/pf.conf.d/msn-rdr"
>> table <msn-allow> persist const file "/etc/pf.conf.d/msn-allow"
>>
>> # msn proxy
>> rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
>> port 1863 -> $proxy
>> rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
>> port 25000:30000 -> $proxy
>>
>> # msn filter
>> pass out quick on { $lan1_iface, $lan2_iface } inet proto tcp from
>> <msn-rdr> to $proxy port 1863
>> block out quick on ! $inet_iface inet proto tcp from ! <msn-allow>
>> to any port 1863
>>
>> In the msn-rdr table are IP of the hosts that should be redirected to
>> the proxy, and in the msn-allow are the IP of the hosts that should be
>> allowed to connect directly with the MSN over the internet (including
>> the host $proxy). The $proxy host is in a fourth interface named $dmz_iface.
>>
>> If i remove the "quick" statement of the block rule, anyone in any
>> interface can connect, and with the 'quick' statement, no one can =S.
>> Also, back in february, when i just redirected everyone to the proxy,
>> the rdr rules used to work, but with this more selective rule, it's not
>> working at all.
>>
>> Tks in advance.
>>
>>
> Hmm, i'm almost getting it. Switching
>
> block *out* quick on ! $inet_iface inet proto tcp from ! <msn-allow> to any
> port 1863
>
> to
>
> block *in* quick on ! $inet_iface inet proto tcp from ! <msn-allow> to any
> port 1863
>
> solved the problem partially. Now, the allowed host are being allowed
> and the others not, but the hosts that should be redirected are not
> being redirected and also cannot connect.
>
I'm well aware that nat occurs before the filtering, but what about
redirections that does not involve nat?