[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf.conf frustration



On Sat, Mar 22, 2003 at 05:54:00PM -0700, Wayne Freeman wrote:
> webserver="192.168.0.201"
> NoRouteIPs="{..., 192.168.0.0/16, ...}"
> rdr on $outside proto tcp from any to any port 80 -> $webserver port 80
Translations (nat, rdr) occur before filtering, so these incoming
connections will already have destination address 192.168.0.201 when the
filter rules are evaluated.
> # don't allow anyone to spoof non-routeable addresses
> block in  quick on $outside from $NoRouteIPs to any
> block out quick on $outside from any to $NoRouteIPs
But you're blocking them, as 192.168.0.201 matches 'to $NoRouteIPs'.
Add rules to allow the redirected incoming connections to the local
servers, keep in mind the destination addresses are already replaced
when the connections are getting filtered.
Daniel