[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: little question.



On Wed, Mar 05, 2003 at 12:52:50PM -0300, Alejandro G. Belluscio wrote:
> Hello pf,
> 
>   I've found two problems today on my 3.2 release machine. I've got an
>   $ExtIF that connects to the Internet and an $IntIF that goes to a
>   NATed private net.
>   1) I've got a cablemodem that asigns an IP throu DHCP. But the
>   cablemodem itself has an 192.169.100.1 IP. So I have added an alias
>   192.168.100.128. Which leads to two subroblems.
>   1a) When I try to reach it from my NATed machine it gets translated
>   and so it doesn't goes throu 192.168.100.128 but my CM assigned IP.
>   I think that I have to add a:
Why not just use a different subnet for your NATed machines?  You can
use 10.0.0.0/8.
>   1b) I want to make sure that if some machine gets compromised, it
>   can't send spoofed IP. So I've put:
> 
>       block out quick on $ExtIF inet from ! $ExtIP to any
> 
>   But it doesn't allows my aliased IP. I've tried to use a list. But
>   when I negate a list I get a sysntax error (which I expected
>   anyway). I don't think it's logical to have a list of negated IPs
>   since that should mean everything. How am I supposed to do this?
try:
	block out on $ExtIF all
	pass out on $ExtIF from $ExtIP to any
I find that people (ab)use the the `quick' keyword too much.
-Ray-