l...@animata.net (David Gwynne), 2011.01.20 (Thu) 10:20 (CET): > either: > > pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ > port 33433 >< 33626 keep state tag mytracert > > pass out log on $ext_if inet proto udp from $ext_if to any \ > port 33433 >< 33626 keep state tagged mytracert > > or: > > pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ > port 33433 >< 33626 keep state > > pass out log on $ext_if inet proto udp from $ext_if to any \ > port 33433 >< 33626 keep state tagged mytracert received-on $int_if
I guess there is a ``tagged mytracert'' copy-paste error, removed it: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 >< 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 >< 33626 keep state received-on $int_if Bye, Marcus > On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote: > > Hi list, > > > > > > I have an question. I want my pc (i.e admin_pc) to be able to traceroute > > which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added > > below rules in pf.conf file. > > > > > > match out on $ext_if from $lan_net nat-to ($ext_if) > > > > pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ > > port 33433 >< 33626 keep state > > > > pass out log on $ext_if inet proto udp from $ext_if to any \ > > port 33433 >< 33626 keep state > > > > > > due to the above rules, my PC can traceroute. It works fine. *But*, in > > addition to that, Firewall also can traceroute because of the above *pass > > out* rule. I *do NOT* want firewall to be able to traceroute. > > > > my question is that How can I exclude my firewall from being able to doing > > it ?