Blocking them on the internal interface won't work: they've already been nat'ed.
huh? why would you NAT on the internal interface? well, admitted, I never use NAT, but...;2C
From pf.conf(5):
Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number.
It is my understanding and experiance that this does *not* mean on the interface in question: it is universal. That is, all NAT happens before any filtering, regardless of the interface(s) involved.
Personally I would wish it were different, but I assume there is a good reason.
Daniel T. Staal
--------------------------------------------------------------- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---------------------------------------------------------------
