View Single Post
  #8   (View Single Post)  
Old 3rd November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The issue is that you will have to find a way to tag the traffic with destination public Internet. In your case traffic entering the internal interface can have three destinations: Internet, DMZ net or the address of the external interface

Code:
# internal LAN to DMZ traffic (dangereous!)
pass in quick on $int from $int:network to $dmz:network tag LAN2DMZ

# only needed e.g. to ping the external interface, so no tag needed here
pass in quick on $int from $int:network to $ext 

# the remaining traffic not passed yet is from the internal LAN to the INTERNET
pass in quick on $int from $int:network to any tag LAN2INET
EDIT: Note that normally pf follows a "last match wins" strategy. The only way to circumvent this stragegy it to use quick. That way the rule will be applied immediately, and no other alternative rules will be sought for and tried.

You could try this approach.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 3rd November 2011 at 10:22 AM.
Reply With Quote