PF default block policy and NAT problem solved with 'TAG'.

[johnblue]

I've switched my default PF policy to 'block all'. Yup, both $ext_if and $int_if are blocked.



Amongst other things, I had a bit of problem trying to figure out how to pass NAT traffic without opening up $ext_if and came across this site and thought I would share.

Since the source ip address is already translated before the last pass out rule is hit, this rules is not able to differentiate local generated traffic from NAT-ed traffic and will allow all traffic to leave the firewall. So is there a way to prevent this? Luckily there is an option with PF to tag a packet, which labels a packet with a tag that can be read by other rules and acted upon. This way we can differentiate traffic that flows through a NAT rule and traffic that does not.