Christopher Zimmermann wrote:
as I understand, pf cannot tell incoming packets destined to the
local machine from incoming packets to be forwarded. With iptables I
1)
read "man pf.conf" about
* tables, to have a list of your "allowed" machines (e.g. laptop)
* macros, e.g. "(tun0)" will be replaced with your current IP, so you
don't have to change this every time - you already used this in your nat
rule, it also works in any other rule
* "tag" / "tagged" keywords, this will make your life easier...
2)
Keep in mind that your desktop has 2 IPs:
* the one of your "internal" network on ath0, probably 192.168.23.1 or
something
* the external IP on tun0
Use this in your rules.
Bind the services (e.g. sshd) only to the internal IP, not to all
interfaces.
Then you can define from which side you want to accept packets, e.g.
internal_if="ath0"
external_if="tun0"
internal_ip="(ath0)"
external_ip="(tun0)"
table <internal_net> const persist {192.168.23.1, 192.168.23.2}
pass in on $internal_if from <internal_net> to $internal_ip port 22
pass in on $external_if proto icmp from any to $external_ip
This will allow SSH from the wlan and icmp from the internet (just as an
example).
But in the end you will have to write rules per interface and per target
(local or forward); read also about "tag" / "tagged".
kind regards,
Robert
