Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Feb 2005 17:48:49 +0100
From:      Hexren <me@hexren.net>
To:        vsavichev@wesleyan.edu
Cc:        freebsd-pf@freebsd.org
Subject:   Re: block specific IP's: corporate network
Message-ID:  <10021429243.20050206174849@hexren.net>
In-Reply-To: <63053.81.30.213.103.1107703511.squirrel@81.30.213.103>
References:  <63053.81.30.213.103.1107703511.squirrel@81.30.213.103>
next in thread | previous in thread | raw e-mail | index | archive | help 
vwe> we have a standart LAN-server-WAN network configuration in
vwe> cyber-cafe

vwe> --LAN---|-em0-server----dc0-|---WAN

vwe> we want to rule outbound client connections, so pf.conf has the following
vwe> layout (only filter rules part)

vwe> .....
vwe> pass quick on $int_if all
vwe> pass quick on lo0 all

vwe> # block specific client's ip's
vwe> #
vwe> block in quick on $ext_if from any  to IP
vwe> block out quick on $ext_if from IP to any
vwe> .....
vwe> # statefule pass out rules on the specific ports
vwe> #e.g.
vwe> # Allow out non-secure standard www function
vwe> pass out quick on $ext_if proto tcp from any  to any port = 80 flags S/SA 
vwe> keep state
vwe> ....

vwe> so we assume given IP should be blocked from the WAN. But to my amusement,
vwe> the client's browser gets out, states are created, so nothing is
vwe> being blocked. For now, I have no clue how it is happening
vwe> Vlad
vwe> _______________________________________________
vwe> freebsd-pf@freebsd.org mailing list
vwe> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
vwe> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

---------------------------------------------

shooting in the dark here, are you doing NAT on outbound connections ?
In that instance the filtering part of the ruleset will see the NATed
packet on $ext_if and as that packet will have as source the IP from
$ext_if the rule blocking IP (IP beeing internal) will not catch it.
Maybe you should try to do the filtering on $int_if.

Regards
Hexren

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10021429243.20050206174849>