either: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 >< 33626 keep state tag mytracert
pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 >< 33626 keep state tagged mytracert or: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 >< 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 >< 33626 keep state tagged mytracert received-on $int_if there are some other ways too, but i like these the most. dlg On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote: > Hi list, > > > I have an question. I want my pc (i.e admin_pc) to be able to traceroute > which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added > below rules in pf.conf file. > > > match out on $ext_if from $lan_net nat-to ($ext_if) > > pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ > port 33433 >< 33626 keep state > > pass out log on $ext_if inet proto udp from $ext_if to any \ > port 33433 >< 33626 keep state > > > due to the above rules, my PC can traceroute. It works fine. *But*, in > addition to that, Firewall also can traceroute because of the above *pass > out* rule. I *do NOT* want firewall to be able to traceroute. > > my question is that How can I exclude my firewall from being able to doing > it ? > > > > > > > > -- > Thank you > Indunil Jayasooriya
