On Mon, 2005-10-31 at 16:51 -0500, Scott Ullrich wrote: > On 10/31/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > > So whats wrong with this? If your not using the ip, whats the bother? > > > > Well. My Lan is using IP 111.111.111.154/29 - this is the lan lockout > > rule I'd like to see generated. If I enter there some fake IP it > > breaks as well as few other rules associated with LAN. I do not know > > how they are important and what else do you plan to add to them later > > on. > > It shouldn't break a thing by entering an ip. Please describe what > you mean by breaking.
I mean it greates non sense rules: # cat /tmp/rules.debug | grep 10.25 nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 nat on em0 from 10.25.15.0/29 to any -> (em0) pass in on em1 proto tcp from 10.25.15.0/29 to any port 5900:5930 keep state tag qOthersDownH pass in on em0 proto tcp from any to 10.25.15.0/29 port 5900:5930 keep state tag qOthersUpH pass out on em1 proto tcp from any to 10.25.15.0/29 port 5900:5930 keep state tag qOthersDownH pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = 67 label "allow access to DHCP server on LAN" pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN" block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 port = 68 label "allow dhcp client out wan" pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label "anti-lockout web rule" My point is - these rules can't work because 10.25.15.1 IP is not really used in the LAN. Now my concerns are: 1) The matching features does not work - for example web anti lockout rule is wring as you can see above. DHCP server also can be blocked if there is no proper rule. This is why you need real IP set on the LAN 2) If you say it does not matter - why would I want these rules to be polluting firewall tables if they never work ? In this case I'd perhaps better of having no IP on LAN at all and have them > > > There is IP where... same as WAN. This is IP I would like to protect. > > You're saying same IP for both interfaces is not good even if it is part > > of the bridge - OK - but there is no other way to have web lockout > > rules generated. > > You're going about this all wrong. If you have an ip you want to > protect then the machine should be behind the bridge with the public > ip. Not on pfsense! Enter in a fake ip on the LAN interface > (something like 192.168.1.1). The bridge will automatically forward > traffic through it. Right. This actually works in all 3 cases - no IP - fake IP - IP on LAN same as on WAN but all have various minor glitches :) > > Yes, having the same IP on two interfaces will confuse the holy hell > out of FreeBSD. I guess we need to have more logic in the webGUI to > keep people from doing this. Yes. This is very good idea. This is why I asked from very beginning - which of free is going to be officially supported setup for bridging. At this point I must say using fake IP is the ugliest and working worse of all :) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
