Re: blocking out an idiot on the network

[Karl O. Pinc]

On 01/05/2006 01:21:06 PM, tim wrote:

hullo,
I have a very simple problem but sadly I'm too brainless to figure it  
out.
There's an idiot on our network who refuses to switch off his P2P.  
The outward  port blocking solution is not a popular one.

Thus, what I want to do is to block out this idiot. H



# nat ...
nat on $ext_if from $internal_net to any - ($ext_if)



# grr, this bit isn't working
block out quick on $ext_if from $idiot to any


The above does not work because natting happens first, so the
rule sees ($ext_if)


block out quick on $int_if from $idiot to any


The above does not work because the datagrams going out on $int_if
are to $idiot, not from $idiot. You might want to block in instead.

Karl [EMAIL PROTECTED]
Free Software:  You don't pay back, you pay forward.
 -- Robert A. Heinlein

Re: blocking out an idiot on the network

[Jon Simola]

On 1/5/06, tim [EMAIL PROTECTED] wrote:

 # grr, this bit isn't working
 block out quick on $ext_if from $idiot to any
 block out quick on $int_if from $idiot to any

Blocking out on $ext_if is done post-NAT after the source IP changes,
so do all the blocking on the internal interface:

block out quick on $int_if from any to $idiot
block in quick on $int_if from $idiot to any

--
Jon Simola
Systems Administrator
ABC Communications

Re: blocking out an idiot on the network

[Bryan Irvine]

 # grr, this bit isn't working
 block out quick on $ext_if from $idiot to any

wrong interface.

 block out quick on $int_if from $idiot to any

wrong direction.

:-)

--Bryan