[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Things pf can't do?

On Wed, 19 May 2004, Can Erkin Acar wrote:
>On Wed, May 19, 2004 at 12:34:52PM -0400, Dave Anderson wrote:
>> There seem to be some things one might reasonably want to do which are
>> not practical with pf; in particular, I (being paranoid) would like to
>> drop any incoming packets which have the loopback address as their
>> destination address -- but I also need to redirect some incoming packets
>> to the loopback address (e.g., for spamd and ftp-proxy).  Since only the
>> translated addresses are available to the filter rules, the only way to
>> do this appears to be to use the 'pass' option on the redirection rules
>> -- but this means that all of the other sanity-checking I do in the
>> filter rules must also be squeezed into each redirection rule (which not
>> only is awkward but probably isn't possible, since they're most likely
>> too complex to express that way).
>One practical solution is to tag with the rdr rule, and
>check the tag instead of the destination address in the pass rule.
D'oh!  Now that you've pointed that out, it's incredibly obvious!
pf is complicated enough that it definitely takes a while to wrap one's
mind around the whole thing.
Dave Anderson
<[email protected]>