[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: little question.

On Wed, Mar 05, 2003 at 12:52:50PM -0300, Alejandro G. Belluscio wrote:
> Hello pf,
>   I've found two problems today on my 3.2 release machine. I've got an
>   $ExtIF that connects to the Internet and an $IntIF that goes to a
>   NATed private net.
>   1) I've got a cablemodem that asigns an IP throu DHCP. But the
>   cablemodem itself has an IP. So I have added an alias
> Which leads to two subroblems.
>   1a) When I try to reach it from my NATed machine it gets translated
>   and so it doesn't goes throu but my CM assigned IP.
>   I think that I have to add a:
Why not just use a different subnet for your NATed machines?  You can
>   1b) I want to make sure that if some machine gets compromised, it
>   can't send spoofed IP. So I've put:
>       block out quick on $ExtIF inet from ! $ExtIP to any
>   But it doesn't allows my aliased IP. I've tried to use a list. But
>   when I negate a list I get a sysntax error (which I expected
>   anyway). I don't think it's logical to have a list of negated IPs
>   since that should mean everything. How am I supposed to do this?
	block out on $ExtIF all
	pass out on $ExtIF from $ExtIP to any
I find that people (ab)use the the `quick' keyword too much.