[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Things pf can't do?



Dave Anderson wrote:

I'm new to pf, so I'd appreciate a sanity-check.  I've searched through
the docs and the mailing list archives but not found anything that
clarifies this.  (I found one similar question, but it never got an
answer.)

There seem to be some things one might reasonably want to do which are
not practical with pf; in particular, I (being paranoid) would like to
drop any incoming packets which have the loopback address as their
destination address -- but I also need to redirect some incoming packets
to the loopback address (e.g., for spamd and ftp-proxy).  Since only the
translated addresses are available to the filter rules, the only way to
do this appears to be to use the 'pass' option on the redirection rules
-- but this means that all of the other sanity-checking I do in the
filter rules must also be squeezed into each redirection rule (which not
only is awkward but probably isn't possible, since they're most likely
too complex to express that way).

If my analysis is correct, are there any plans for dealing with issues
of this sort?



Look at tags. I'm pretty sure you can tag a packets when it hits the RDR rule, and then filter on that tag later instead of the loopback address. Cedric