> If you don't want any PCs on the LAN to access your server but for udp
> 53 (will mean you can't even SSH into the box) why don't you add
> something like:
>
> pass in quick on $int_if proto udp from $int_if:network to $int_if \
> port $int_udp keep state
> block in quick on $int_if from any to $firewall_internal_ip
>
> Surely that is a better solution?
>
> Andrew
Hello,
Thanks for your reaction!
I guess your solution is more efficient, but that is not the problem. What
I want is the following:
Block all
Pass in on $int_if from $int_if:network to any keep state
Block in on $int_if from $int_if:network to { $int_if:network,
$int_if2_other:network }
Pass in on $int_if proto udp from $int_if:network to $int_if port = domain
keep state
This makes it possible for a package to reach the internet and make
DNS-queries on the internal firewall ip ($int_if). These rules also
provide in blocking traffic to $int_if2_other:network. This works like a
charm.
Now I thought to be clever by using the �not�-modifier (!) so the above
rules would look like:
Block all
Pass in on $int_if from $int_if:network to !{ $int_if:network,
$int_if2_other:network } keep state
Pass in on $int_if proto udp from $int_if:network to $int_if port = domain
keep state
The first rule should provide in passing all traffic except to the server
($int_if) and a secondary range. The second rule opens UDP port 53.
Unfortunately this doesn�t work. It seems as if the �not� modifier does
not do what I believe it should do.
Regards Bj�rn
