[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: little question.
On Wed, Mar 05, 2003 at 12:52:50PM -0300, Alejandro G. Belluscio wrote:
> Hello pf,
> I've found two problems today on my 3.2 release machine. I've got an
> $ExtIF that connects to the Internet and an $IntIF that goes to a
> NATed private net.
> 1) I've got a cablemodem that asigns an IP throu DHCP. But the
> cablemodem itself has an 18.104.22.168 IP. So I have added an alias
> 192.168.100.128. Which leads to two subroblems.
> 1a) When I try to reach it from my NATed machine it gets translated
> and so it doesn't goes throu 192.168.100.128 but my CM assigned IP.
> I think that I have to add a:
Why not just use a different subnet for your NATed machines? You can
> 1b) I want to make sure that if some machine gets compromised, it
> can't send spoofed IP. So I've put:
> block out quick on $ExtIF inet from ! $ExtIP to any
> But it doesn't allows my aliased IP. I've tried to use a list. But
> when I negate a list I get a sysntax error (which I expected
> anyway). I don't think it's logical to have a list of negated IPs
> since that should mean everything. How am I supposed to do this?
block out on $ExtIF all
pass out on $ExtIF from $ExtIP to any
I find that people (ab)use the the `quick' keyword too much.