On Sat, 25 Sep 2004 00:03:05 -0500, Edward Saipetch
<beamz at twentybelow dot com> wrote:
> Slightly offtopic, but I've got a DSL modem hooked to the WAN interface
> but the only way to manage the device is by its private 192.168.0.1 ip
> address. I've left "Block private networks" unchecked for awhile even
> though I know it's good to have turned on purely so I could do some DSL
> troubleshooting and connection monitoring. Is there a way to explicitly
> let that traffic through similar to setting up pf.conf and setting the
> rules higher or is the block private networks directive higher up in the
> ipf/pf.conf that there's no way to set a rule to override it?
The "Block private networks" puts in the rule on the back end before
any of your other firewall rules, so you can't put anything above it.
In this situation, I'd manually put in firewall rules on the WAN to
drop all private networks except 192.168.0.1/32.
permit src 192.168.0.1/32 dst any
deny src 10.0.0.0/8 dst any
deny src 127.0.0.0/8 dst any
deny src 172.16.0.0/12 dst any
deny src 192.168.0.0/16 dst any