pf: allowed sites only via Jake Luck Fri, 22 Jul 2005 15:15:24 -0700 hi, I am encountering some strange behavior with pf tables. This is with the jun 17th kernel and userland on x86 I have a filtering bridge with IP addresses assigned to both interfaces. A host that is behind NAT which I am tryin to restrict outbound access. (I am bridging because I have hosts with real IP addresses and NATed IP addresses) very simple ruleset table <okays> persist file "/etc/okays" scrub in on $ext all nat on $ext from $int:network to any -> ($ext) block in on $ext all pass out on $ext inet proto { tcp, udp, icmp } from any to any modulate state # -- approach a, filter outbound on external interface block out on $ext from $host to any pass out on $ext inet proto tcp from $host to <okays> port 80 modulate state # -- approach b, filter inbound on internal interface block in on $int from $host to any pass in on $section inet proto tcp from $host to <okays> port 80 modulate state I have tried both approach a and b independently as the last 2 rules of the configuration, and I am getting the following behavior which defies my understanding: with apporach a: everything from $host passes out, with apporach b: everything from $host blocked out, in both case, the table content appears to be ignored. What am I doing wrong? jake Previous message View by thread View by date Next message Reply via email to Search the site The Mail Archive home misc - all messages misc - about the list Expand Previous message Next message The Mail Archive home Add your mailing list FAQ Support Privacy Pine.BSO.4.63.0507221738580.14729@transpose.10k.org

[Jake Luck]

hi, I am encountering some strange behavior with pf tables. This is with 
the jun 17th kernel and userland on x86

I have a filtering bridge with IP addresses assigned to both interfaces. A 
host that is behind NAT which I am tryin to restrict outbound access. (I 
am bridging because I have hosts with real IP addresses and NATed IP 
addresses)

very simple ruleset

table <okays>      persist file "/etc/okays"
scrub in on $ext all
nat on $ext from $int:network to any -> ($ext)
block in on $ext all
pass out on $ext inet proto { tcp, udp, icmp } from any to any modulate state

# -- approach a, filter outbound on external interface
block out on $ext from $host to any
pass  out on $ext inet proto tcp from $host to <okays> port 80 modulate state

# -- approach b, filter  inbound on internal interface
block in on $int from $host to any
pass  in on $section inet proto tcp from $host to <okays> port 80 modulate state

I have tried both approach a and b independently as the last 2 rules of 
the configuration, and I am getting the following behavior which defies my 
understanding:

with apporach a: everything from $host passes out, 
with apporach b: everything from $host blocked out,

in both case, the table content appears to be ignored.
What am I doing wrong?

jake