I tried the exact same lines on the $IntIf and it didn't block anything there either. I'll investigate the use of tags and see if that will work. Thanks for the idea
Jim ----- Original Message ----- From: "Henning Brauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 19, 2003 5:43 AM Subject: Re: the zen of pf > On Thu, Dec 18, 2003 at 10:39:19PM -0500, Daniel Staal wrote: > > >block in quick on $ExtIF from any to 192.168.100.130 > > >block out quick on $ExtIF from 192.168.100.130 to any > > >block in quick on $IntIF from any to 192.168.100.130 > > >block out quick on $IntIF from 192.168.100.130 to any > > > > Ok, what we have here is NAT happening before PF. By the time these > > block lines get run *all* 192.168.100.0/24 addresses have been > > re-written to dc1's address. Therefore you can't block on them. > > (Since the packets don't have them.) > > > > Suggestions: re-address 192.168.100.130 to, say, 192.168.101.130 or > > change $IntNet to exclude it. (While keeping the rest of your > > network, of course.) > > why so complicated? > you can just block them on the internal interface. > or use tags. or or or.. > > -- > Henning Brauer, BS Web Services, http://bsws.de > [EMAIL PROTECTED] - [EMAIL PROTECTED] > Unix is very simple, but it takes a genius to understand the simplicity. > (Dennis Ritchie)
