netbsd-users: Re: IPfilter blocking on the wrong interface?

Subject: Re: IPfilter blocking on the wrong interface?
To: None <netbsd-users@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: netbsd-users
Date: 09/27/2004 12:31:51

In article <20040927120602.GA24283@schoot.org>,
	Wouter Schoot <wouter@schoot.org> writes:
> Take the following line:
> block in quick on ex0 from any to 10.0.0.0/8
> 
> I put it there to prevent the outer networkcard (connected to the internet)
> from packets destinated for internal networks. I figured, they should not
> end up at my external interface.

The packet filter sees the packet after the network address translation.
So if a host on the internal network has a connection to the outer world
via NAT the filter will see a packet with the internal address as
destination.

The disadvantage of this order is of course that it breaks rules like
the one you've listed above. The advantage however is that you can
filter based on the IP address of the NAT client which is (at least
IMHO) much more important.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/