Leonardo Carneiro - Veltrac wrote:
> Hi Shane, Heya and others. I tried a new setup, using tables (look more
> eficient than using a thousan rules to each variable). But is still
> failing :(
>
> # tables
> table <msn-rdr> persist const file "/etc/pf.conf.d/msn-rdr"
> table <msn-allow> persist const file "/etc/pf.conf.d/msn-allow"
>
> # msn proxy
> rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
> port 1863 -> $proxy
> rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
> port 25000:30000 -> $proxy
>
> # msn filter
> pass out quick on { $lan1_iface, $lan2_iface } inet proto tcp from
> <msn-rdr> to $proxy port 1863
> block out quick on ! $inet_iface inet proto tcp from ! <msn-allow>
> to any port 1863
>
> In the msn-rdr table are IP of the hosts that should be redirected to
> the proxy, and in the msn-allow are the IP of the hosts that should be
> allowed to connect directly with the MSN over the internet (including
> the host $proxy). The $proxy host is in a fourth interface named $dmz_iface.
>
> If i remove the "quick" statement of the block rule, anyone in any
> interface can connect, and with the 'quick' statement, no one can =S.
> Also, back in february, when i just redirected everyone to the proxy,
> the rdr rules used to work, but with this more selective rule, it's not
> working at all.
>
> Tks in advance.
>
Hmm, i'm almost getting it. Switching
block *out* quick on ! $inet_iface inet proto tcp from ! <msn-allow> to any
port 1863
to
block *in* quick on ! $inet_iface inet proto tcp from ! <msn-allow> to any port
1863
solved the problem partially. Now, the allowed host are being allowed
and the others not, but the hosts that should be redirected are not
being redirected and also cannot connect.
