[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: little question.



Hello Ray,
Thursday, March 06, 2003, 1:18:57 AM, you wrote:
Ray> On Wed, Mar 05, 2003 at 12:52:50PM -0300, Alejandro G. Belluscio wrote:
>> Hello pf,
>> 
>>   I've found two problems today on my 3.2 release machine. I've got an
>>   $ExtIF that connects to the Internet and an $IntIF that goes to a
>>   NATed private net.
>>   1) I've got a cablemodem that asigns an IP throu DHCP. But the
>>   cablemodem itself has an 192.169.100.1 IP. So I have added an alias
>>   192.168.100.128. Which leads to two subroblems.
>>   1a) When I try to reach it from my NATed machine it gets translated
>>   and so it doesn't goes throu 192.168.100.128 but my CM assigned IP.
>>   I think that I have to add a:
Ray> Why not just use a different subnet for your NATed machines?  You can
Ray> use 10.0.0.0/8.
May be I mistated the question. My LAN is _not_ 192.168.100.0/24. This
is a private address reserved for administrative purposes (reboot the
CM, see the power levels and noise in the line, problems in the
connection ,etc.). So I have my LAN that get's NATed when going out to
the CM. I've added the 'no nat' clause. But since DHCP and aliased IPs
do not like each other, I have to ssh and use lynx to check my CM
status. Not a nice thing to do.
>>   1b) I want to make sure that if some machine gets compromised, it
>>   can't send spoofed IP. So I've put:
>> 
>>       block out quick on $ExtIF inet from ! $ExtIP to any
>> 
>>   But it doesn't allows my aliased IP. I've tried to use a list. But
>>   when I negate a list I get a sysntax error (which I expected
>>   anyway). I don't think it's logical to have a list of negated IPs
>>   since that should mean everything. How am I supposed to do this?
Ray> try:
Ray>         block out on $ExtIF all
Ray>         pass out on $ExtIF from $ExtIP to any
Ray> I find that people (ab)use the the `quick' keyword too much.
Did you mean ?:
        block out on $ExtIF all
        pass out on $ExtIF from $ExtIP to any
        pass out on $ExtIF from $ExtAliasIP to any
        
Which is exacly equivalent to:
        pass out quick on $ExtIF from $ExtIP to any
        pass out quick on $ExtIF from $ExtAliasIP to any
        block out quick on $ExtIF all
Whith the only difference that in your example pf has to skip steps
downward and pass through the 'block all' rule innecesarily.
-- 
Best regards,
 Alejandro Belluscio