On Thu, Dec 18, 2003 at 10:39:19PM -0500, Daniel Staal wrote: > >block in quick on $ExtIF from any to 192.168.100.130 > >block out quick on $ExtIF from 192.168.100.130 to any > >block in quick on $IntIF from any to 192.168.100.130 > >block out quick on $IntIF from 192.168.100.130 to any > > Ok, what we have here is NAT happening before PF. By the time these > block lines get run *all* 192.168.100.0/24 addresses have been > re-written to dc1's address. Therefore you can't block on them. > (Since the packets don't have them.) > > Suggestions: re-address 192.168.100.130 to, say, 192.168.101.130 or > change $IntNet to exclude it. (While keeping the rest of your > network, of course.)
why so complicated? you can just block them on the internal interface. or use tags. or or or.. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
