Bj�rn Ketelaars wrote:
here is two as a start:
1) "to !$int_if:network" will only work as you intend if there is only one IP address assigned to $int_if. If there is more, it will fail. please show the content of "pfctl -sr". as a workaround, you can use !($int_if:network).
2) You want to prevent PPL in your internal network to connect to your firewall, but the rules that you show here won't prevent ppl to access the external IP address of your firewall ($ext_if).
Cedric
Hello,
1.) Wait a minute....so the "not"-modifier works only for a single ip-address (e.g. $int_if) and not for a range (e.g. $int_if:network)? This explains it!
No, it should work with a range. but if you've assigned alias to the interface, there is two and more range, and then it will not work, look at the "pfctl -sr" output why.
2.) Indeed I want to prevent people in the the internal network to access the firewall, but I also want to make it possible to connect to the internet (by means of NAT) to connect to the internet.
The following is better then:
pass in on $int_if from $int_if:network to !(self) keep state
Cedric
