> here is two as a start: > > 1) "to !$int_if:network" will only work as you intend if there is only > one IP address assigned to $int_if. If there is more, it will fail. > please show the content of "pfctl -sr". as a workaround, you can > use !($int_if:network). > > 2) You want to prevent PPL in your internal network to connect to your > firewall, but the rules that you show here won't prevent ppl to > access the external IP address of your firewall ($ext_if). > > Cedric
Hello, 1.) Wait a minute....so the "not"-modifier works only for a single ip-address (e.g. $int_if) and not for a range (e.g. $int_if:network)? This explains it! 2.) Indeed I want to prevent people in the the internal network to access the firewall, but I also want to make it possible to connect to the internet (by means of NAT) to connect to the internet. Regards, Bj�rn
