Re: Negate a "to" address

On Wed, Oct 12, 2005 at 11:53:06PM -0400, Michael Dahlberg wrote:

> My apologies if this question has been addressed before:
>
> I'm setting up an IPfilter/NAT router configuration for a Solaris 10
> system (192.168.0.1) where hme0 is the internal interface and hme1 is
> the external Internet interface. I want only one system (192.168.0.5)
> within the internal domain (192.168.0.0/24) to be able to access the
> Solaris 10 via ssh however all internal systems need to pass traffic
> through the internal interface so that it can be sent out the external
> interface:
>
> pass in quick on hme0 from 192.168.0.0/24 to any keep state
> for internal systems Internet access
>
> pass in quick on hme0 from 192.168.0.5/32 to 192.168.0.1/32 port = ssh
> keep state
> for a specific system ssh access to the Solaris router
>
> It seems that by including the first rule that ALL internal systems
> would have ssh access to the Solaris router which would make the
> second rule pointless.
>
> Is there a way to permit all internal systems access to the external
> network but only give one internal system ssh access to the router?

sure, just reverse the order and insert a block rule in between:

> pass in quick on hme0 from 192.168.0.5/32 to 192.168.0.1/32 port = ssh
> keep state

block in quick on hme0 from 192.168.0.0/24 to 192.168.0.1/32 port = ssh

> pass in quick on hme0 from 192.168.0.0/24 to any keep state
> for internal systems Internet access

grant.