On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
> my question is that How can I exclude my firewall from being able to doing
> it ?
I'm really not sure why you don't want the firewall to be able to
traceroute. (hint: if you can't trust the users on your firewall to
behave responsibly with basic troubleshooting tools, you're Doing It
Wrong (tm)). However, here is one way that you can get the effect you're
looking for, using the 'tag' and 'tagged' keywords:
match out on $ext_if from $lan_net nat-to ($ext_if)
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433 >< 33626 tag ADMIN
pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433 >< 33626 tagged ADMIN
Note I've removed the 'keep state', it's not necessary to specify that
anymore.
