Hi,
I have two machines. One desktop and one mobile laptop. They are
connected to each other via wlan. The desktop is connected to the
internet vie pppoe and provides internet connectivity to the
laptop via nat.
On the desktop I would like to block all incoming packets
destined to the desktop machine (except ssh and icmp echo
requests), but forward all packets destined elsewhere.
The pppoe interface on the desktop is assigned a dynamic ip.
nat-to works fine using the following rules.
# Masquerade and route wlan clients to outside
pass in on ath0 from 192.168.23.0/24
match out on tun0 from 192.168.23.0/24 nat-to (tun0) #intranet via vpn
match out on egress from 192.168.23.0/24 nat-to (egress) #pppoe0
as I understand, pf cannot tell incoming packets destined to the
local machine from incoming packets to be forwarded. With iptables I
could easily accomplish this using the INPUT
vs. the FORWARD chains. With pf I could do it by blocking all
packets having a destination ip hosted by the desktop. But for
this to work I would need a static ip or modify the pf rules
everytime my public ip changes.
Is there any other, _simple_ way to accomplish this?
Cheers,
Christopher
