On Sat, 20 Dec 2003 11:46:20 -0600, you wrote:
>Maybe I need to set up the firewall as a bridge. The last part of the FAQ
>page on Packet Tagging ( http://www.openbsd.org/faq/pf/tagging.html ) says
>that if you set it up as a bridge you can filter
>down to the MAC address level.
>
>Jim
>
How is that going to help? Considering the problems so far; it seems to me that it
will
only exacerbate the situation.
On Sat, 20 Dec 2003 12:03:44 -0600, you wrote:
>Nope. I tried to block out instead of in and the machine still finds the
>web as usual.
>
>Jim
>
Of course it does. To be blunt; I'm surprised that this has gone on so long with
no resolution. Why? 'man pf.conf' for the solution.
The no option prefixed to a translation rule causes packets to remain un-
translated, much in the same way as drop quick works in the packet filter
(see below). If no rule matches the packet it is passed to the filter
engine unmodified.
no nat on $ExtIF from $Gameroom to any
nat on $ExtIF from $IntNet to any -> ($ExtIF)
Now you don't have to specify ANY special rules. Because now the packets;
since they have not been translated will match your existing rules (with a little
help):
block quick on $ExtIF from $NoRouteIPs to any
block quick on $ExtIF from any to $NoRouteIPs
Notice how I didn't specify a direction?
in or out
This rule applies to incoming or outgoing packets. If neither in
nor out are specified, the rule will match packets in both direc-
tions.
pass out quick on $loopbackIF
Without a keep state; nothing is going to go 'in'. Either add keep state or remove
out.
Never mind the fact that you are using a macro for lo0; is it going to change often?
While you're at it; I'd clean up your pf.conf. It could be a little bit more readable.
Oh, and do this again; 'man pf.conf'.
