>
> well, this should work:
>
> nat on $ext_if from 192.168/24 -> $ext_if
> pass in in $int_if from 192.168.0.1 keep state tag bad
> block out on $ext_if tagged bad
>
Nope. I tried both "in" and "out" on $ExtIF. The machine still accesses
the internet freely. Here is my pf.conf.
# Define useful variables
#
ExtIF ="dc1" # External Interface
IntIF ="dc0" # Internal Interface
loopbackIF="lo0" # Loopback Interface
#
IntNet ="192.168.100.0/24" # Our internal network
Austin ="192.168.100.129"
Gameroom="192.168.100.130"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#Services="{ ssh }"
# Clean up fragmented and abnormal packets
scrub in all
# nat on dc1 from 192.168.100.0/24 to any -> dc1
nat on $ExtIF from $IntNet to any -> ($ExtIF)
# block all internet trafic to gameroom computer
pass in on $IntIF from $Gameroom keep state tag GAME
block in quick on $ExtIF tagged GAME
#pass anything on loopback
pass out quick on $loopbackIF
# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all
# allow others to use allowed services
pass in on $ExtIF inet proto tcp from any to any port $Services \
flags S/SA keep state
# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
