I've been thinking about this for months (on and off) but as soon as I
send the email a solution occurs to me. Typical.
On 30/01/2012 12:31, Justin Murdock wrote:
OpenBSD 4.9 GENERIC.MP#819 amd64
I'm not quite sure when things changed, but I can no longer apply
rules to locally originating traffic the following doesn't work as I
would wish]:
match out log received-on lo
I can, however, catch this traffic using
match out log user != unknown
pass on $dmz to port {http, https, ssh}
block out on lo
pass out on lo from <trusted> to port ssh
similarly becomes:
pass on $dmz to port {http, https, ssh}
block in user != unknown
pass in from <trusted> to port ssh user != unknown
I feel I must be missing something, I'm just not sure what.
I'm not entirely comfortable with this - especially as the "... in ...
user != unknown" construction depends on there being a listening socket
- which could be quite interesting with the rdr-to interactions.
