--As of September 12, 2006 4:16:33 PM -0300, [EMAIL PROTECTED] is
alleged to have said:
If I have a network with hundreds of computers then all of them would be
able to access port 80 and not just $PC, which is a single computer. Does
exist a way to perform first the filtering then the NATing ?, so I can
filter by internal IP addresses who can or can't access the Internet
using certain ports and/or destinations.
Maybe I should block the internal incoming packets to PF at $if_ne3, I
mean by deleting this rule: 'pass in quick on $int_if from
$int_if:network to any keep state' and creating a new one for every
specific internal host that I want to allow in a restricted way access to
the Internet. (I'm not at home right now so I'm not able to test this).
--As for the rest, it is mine.
Filtering on the other interface will work, but is likely to cause further
headaches figuring out your rules in the future. (It doubles the
complexity of your rules, basically.)
You do not have to nat everything, and you *can* tag on nat, then filter on
the tags. Between the two, you should be able to achieve the level of
control you need.
Daniel T. Staal
---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------
