netbsd-users: Re: pf & nat: blocking single machine inside LAN

Subject: Re: pf & nat: blocking single machine inside LAN
To: None <netbsd-users@netbsd.org>
From: Mark Cullen <mark.r.cullen@gmail.com>
List: netbsd-users
Date: 07/12/2006 15:23:10

Mark Cullen wrote:
> I'm having a slight problem here.
> 
> I have a simple NAT set up:
> 
> ---
> set block-policy return
> 
> ext_if="fxp1"
> int_if="fxp0"
> 
> scrub in
> 
> # === nat
> # web proxy
> web_proxy_ip="10.0.0.245"
> web_proxy_port="3128"
> 
> #no rdr on $int_if proto tcp from ($int_if:network) to ($int_if) port 80
> #no rdr on $int_if proto tcp from $web_proxy_ip to any port 80
> #rdr on $int_if proto tcp from ($int_if:network) to any port 80 -> 
> $web_proxy_ip port $web_proxy_port
> #no nat on $int_if proto tcp from ($int_if:network) to any port 80
> #nat on $int_if proto tcp from ($int_if:network) to $web_proxy_ip port 
> $web_proxy_port -> ($int_if:0)
> 
> # default nat
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> 
> # ftp proxy
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> 
> # === filter rules
> # default to block
> block in log
> 
> # allow adsl modem dhcp
> pass quick on $ext_if proto udp from 192.168.0.1 port 67 to any port 68 
> keep state
> 
> # keep state on all outgoing
> pass out keep state
> 
> # allow local traffic quick
> pass quick on { lo $int_if }
> antispoof quick for { lo $int_if }
> 
> # allow ftp proxy
> anchor "ftp-proxy/*"
> 
> # allow incoming
> pass in quick on $ext_if proto tcp to ($ext_if) port 80 keep state
> pass in quick on $ext_if proto tcp to ($ext_if) port 55000 >< 57000 keep 
> state
> -- 
> 
> Now, I have a machine inside the LAN, say 10.0.0.45, which I would like 
> to block from using the internet (fxp1) after a certain time (my 
> intention was to use a table and just run a script from cron which adds 
> / deletes the ip to the table when I need it to), but *must* still be 
> able to connect to the machine internally (fxp0). However, because you 
> cannot place any filter rules before NAT'ing, I am finding this rather 
> difficult to achieve, as packets after the NAT'ing have their source 
> address replaced with my external IP and then I can no longer match by 
> internal IP's.
> 
> Can anyone see a nice way to achieve this?

Ah, I spoke too soon again :) It looks like I can do:

"no nat on $ext_if from <timed_blocks> to any"

before the default nat rule. Seems to stop the internet from working on 
the machine I put in the timed_blocks table anyway... I think!

-- 
Mark Cullen <mark.r.cullen@gmail.com>