Hello everyone,
How can I restrict only one NAT user to access Internet except some web site? For example: only for one user should be blocked every web site except domain.com. And where should the new code be pasted?
This is my pf.conf:
How can I restrict only one NAT user to access Internet except some web site? For example: only for one user should be blocked every web site except domain.com. And where should the new code be pasted?
This is my pf.conf:
Code:
ext_if="em0"
ext_ip="x.x.x.x"
int_if="vr0"
sync_if="msk0"
vlan1000_if="vlan1000"
safe_ports="{ 53,8080,22,8140 }"
safe_nat_ports="{ 110,25,143,993,443,587,465,995,3000,389,21,20,53,161 }"
table <clients> persist file "/etc/clients.conf"
scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from 192.168.99.128/25 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from 12.0.0.0/21 to any port $safe_nat_ports -> $ext_if
nat on $ext_if from <clients> to any -> $ext_ip
anchor "ftp-proxy/*"
pass in all
block out quick on ext_if proto tcp to port 445
block out quick on ext_if proto udp to port 445
pass out all
antispoof quick for { lo $int_if }
# allow pfsync over the internal nics connected by a cross cable
pass quick on $sync_if proto pfsync
pass quick on $int_if proto carp
pass quick on $ext_if proto carp
pass quick on $vlan1000_if proto carp
#pass in quick on $ext_if proto tcp to ($ext_if) port 5631
pass in quick on $int_if proto tcp to 12.0.0.1 port 53
pass in quick on $int_if proto udp to 12.0.0.1 port 53
pass in quick on $int_if proto tcp to 12.0.0.1 port 8080
pass in quick on $int_if inet proto icmp all
pass in quick on $ext_if inet proto icmp all
pass in quick on $vlan1000_if inet proto icmp all