# Define useful variables # ExtIF="dc1" # External Interface IntIF="dc0" # Internal Interface loopbackIF="lo0" # Loopback Interface # IntNet="192.168.100.0/24" # Our internal network
<snip />
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.100.1 nat on $ExtIF from $IntNet to any -> ($ExtIF)
(Note: Comments should match code, whenever possible...)
<snip />
block in quick on $ExtIF from any to 192.168.100.130 block out quick on $ExtIF from 192.168.100.130 to any block in quick on $IntIF from any to 192.168.100.130 block out quick on $IntIF from 192.168.100.130 to any
Ok, what we have here is NAT happening before PF. By the time these block lines get run *all* 192.168.100.0/24 addresses have been re-written to dc1's address. Therefore you can't block on them. (Since the packets don't have them.)
Suggestions: re-address 192.168.100.130 to, say, 192.168.101.130 or change $IntNet to exclude it. (While keeping the rest of your network, of course.)
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
