[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Things pf can't do?



On Wed, May 19, 2004 at 12:34:52PM -0400, Dave Anderson wrote:
[snip]
> There seem to be some things one might reasonably want to do which are
> not practical with pf; in particular, I (being paranoid) would like to
> drop any incoming packets which have the loopback address as their
> destination address -- but I also need to redirect some incoming packets
> to the loopback address (e.g., for spamd and ftp-proxy).  Since only the
> translated addresses are available to the filter rules, the only way to
> do this appears to be to use the 'pass' option on the redirection rules
> -- but this means that all of the other sanity-checking I do in the
> filter rules must also be squeezed into each redirection rule (which not
> only is awkward but probably isn't possible, since they're most likely
> too complex to express that way).
One practical solution is to tag with the rdr rule, and
check the tag instead of the destination address in the pass rule.
Can