[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Things pf can't do?



* Dave Anderson <[email protected]> [2004-05-19 20:54]:
> There seem to be some things one might reasonably want to do which are
> not practical with pf; in particular, I (being paranoid) would like to
> drop any incoming packets which have the loopback address as their
> destination address -- but I also need to redirect some incoming packets
> to the loopback address (e.g., for spamd and ftp-proxy).  Since only the
> translated addresses are available to the filter rules, the only way to
> do this appears to be to use the 'pass' option on the redirection rules
> -- but this means that all of the other sanity-checking I do in the
> filter rules must also be squeezed into each redirection rule (which not
> only is awkward but probably isn't possible, since they're most likely
> too complex to express that way).
> If my analysis is correct,
it isn't ;)
if you use tags on the rdr rules, like
rdr on $ext_if inet proto tcp from any to any port 25 tag NAT \
    -> 127.0.0.1 port 8025
you can refer to that tag later on:
block in quick on $ext_if to 127.0.0.1 ! tagged NAT
-- 
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)