I'm having a slight problem here.

I have a simple NAT set up:

---
set block-policy return

ext_if="fxp1"
int_if="fxp0"

scrub in

# === nat
# web proxy
web_proxy_ip="10.0.0.245"
web_proxy_port="3128"

#no rdr on $int_if proto tcp from ($int_if:network) to ($int_if) port 80
#no rdr on $int_if proto tcp from $web_proxy_ip to any port 80
#rdr on $int_if proto tcp from ($int_if:network) to any port 80 -> 
$web_proxy_ip port $web_proxy_port
#no nat on $int_if proto tcp from ($int_if:network) to any port 80
#nat on $int_if proto tcp from ($int_if:network) to $web_proxy_ip port 
$web_proxy_port -> ($int_if:0)

# default nat
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# ftp proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# === filter rules
# default to block
block in log

# allow adsl modem dhcp
pass quick on $ext_if proto udp from 192.168.0.1 port 67 to any port 68 
keep state

# keep state on all outgoing
pass out keep state

# allow local traffic quick
pass quick on { lo $int_if }
antispoof quick for { lo $int_if }

# allow ftp proxy
anchor "ftp-proxy/*"

# allow incoming
pass in quick on $ext_if proto tcp to ($ext_if) port 80 keep state
pass in quick on $ext_if proto tcp to ($ext_if) port 55000 >< 57000 keep 
state
--

Now, I have a machine inside the LAN, say 10.0.0.45, which I would like 
to block from using the internet (fxp1) after a certain time (my 
intention was to use a table and just run a script from cron which adds 
/ deletes the ip to the table when I need it to), but *must* still be 
able to connect to the machine internally (fxp0). However, because you 
cannot place any filter rules before NAT'ing, I am finding this rather 
difficult to achieve, as packets after the NAT'ing have their source 
address replaced with my external IP and then I can no longer match by 
internal IP's.

Can anyone see a nice way to achieve this?
-- 
Mark Cullen <mark.r.cullen@gmail.com>