Can you add a "tag foobar" at the end of a nat line? If I do this and then
check the results with pfctl -nf, it gives me a syntax error. Can you not
tag a nat line?
Thanks
Jim
pf.conf:
# Define useful variables
#
ExtIF ="dc1" # External Interface
IntIF ="dc0" # Internal Interface
loopbackIF="lo0" # Loopback Interface
#
IntNet ="192.168.100.0/24" # Our internal network
Austin ="192.168.100.129"
Gameroom="192.168.100.130"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
Services="{ ssh, ftp }"
#Services="{ ssh }"
# Clean up fragmented and abnormal packets
scrub in all
# nat on dc1 from 192.168.100.0/24 to any -> dc1
nat on $ExtIF from $Gameroom to any -> ($ExtIF) tag GAME
nat on $ExtIF from $Austin to any -> ($ExtIF) tag AUST
nat on $ExtIF from $IntNet to any -> ($ExtIF) tag OTHER
block out quick on $ExtIF tagged GAME
#pass anything on loopback
pass out quick on $loopbackIF
# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all
# allow others to use allowed services
pass in on $ExtIF inet proto tcp from any to any port $Services \
flags S/SA keep state
# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
#
