On Sat, Dec 20, 2003 at 08:46:12AM -0600, Jim Mays wrote: > Pardon me for being dense here, but I must be missing something. If I want > to add a tag to all packets coming from an IP address early in the pf.conf > file and then block that packet later (after NAT) based on the tag instead > of (the now modified) IP address, then there is a problem. > > I added a rule early in the file that said > > pass in on $IntIf from 192.168.100.130 to any tag MYTAG > > then, later (after NAT) I tried to block any packet tagged MYTAG. The > problem is that the sections in pf.conf have to be in order and filtering is > last. I cannot have the above line high in the file. So how do I tag > something before NAT runs (based on an internal IP address) and then block > that tag later.
well, this should work: nat on $ext_if from 192.168/24 -> $ext_if pass in in $int_if from 192.168.0.1 keep state tag bad block out on $ext_if tagged bad -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
