From owner-freebsd-pf@FreeBSD.ORG Sun Feb 6 16:48:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58ABB16A4CE for ; Sun, 6 Feb 2005 16:48:54 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB8F543D2F for ; Sun, 6 Feb 2005 16:48:53 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1Cxpad-0005eo-8d; Sun, 06 Feb 2005 17:48:51 +0100 Date: Sun, 6 Feb 2005 17:48:49 +0100 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <10021429243.20050206174849@hexren.net> To: vsavichev@wesleyan.edu In-Reply-To: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> References: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: block specific IP's: corporate network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2005 16:48:54 -0000 vwe> we have a standart LAN-server-WAN network configuration in vwe> cyber-cafe vwe> --LAN---|-em0-server----dc0-|---WAN vwe> we want to rule outbound client connections, so pf.conf has the following vwe> layout (only filter rules part) vwe> ..... vwe> pass quick on $int_if all vwe> pass quick on lo0 all vwe> # block specific client's ip's vwe> # vwe> block in quick on $ext_if from any to IP vwe> block out quick on $ext_if from IP to any vwe> ..... vwe> # statefule pass out rules on the specific ports vwe> #e.g. vwe> # Allow out non-secure standard www function vwe> pass out quick on $ext_if proto tcp from any to any port = 80 flags S/SA vwe> keep state vwe> .... vwe> so we assume given IP should be blocked from the WAN. But to my amusement, vwe> the client's browser gets out, states are created, so nothing is vwe> being blocked. For now, I have no clue how it is happening vwe> Vlad vwe> _______________________________________________ vwe> freebsd-pf@freebsd.org mailing list vwe> http://lists.freebsd.org/mailman/listinfo/freebsd-pf vwe> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------------------- shooting in the dark here, are you doing NAT on outbound connections ? In that instance the filtering part of the ruleset will see the NATed packet on $ext_if and as that packet will have as source the IP from $ext_if the rule blocking IP (IP beeing internal) will not catch it. Maybe you should try to do the filtering on $int_if. Regards Hexren