On 2012-04-24, Theron ZORBAS <theronzor...@yahoo.com> wrote: > Hello Misc, > > What is the difference beetwen these two rules: > match out on egress inet from $int_if:network to any nat-to (egress) > > pass out on egress inet from $int_if:network to any nat-to (egress) > Or there is no difference? > > I could not understand when to use match word. > >
'match' lets you separate natting, queue assignment, routing table selection, qos marking etc from the main firewall pass/block logic. for example I find this easier to understand and edit: (contrived example, but I think you'll get the idea..) match from 10/8 to any nat-to egress:0 match from 10.0.5.9 to any nat-to $somehost block pass proto tcp from 10/8 to port 22 pass proto tcp from 10/8 to port 80 pass proto tcp from 10/8 to port 1433 than this: block pass proto tcp from 10/8 to port 22 nat-to egress:0 pass proto tcp from 10/8 to port 80 nat-to egress:0 pass proto tcp from 10/8 to port 1433 nat-to egress:0 pass proto tcp from 10.0.5.9 to port 22 nat-to $somehost pass proto tcp from 10.0.5.9 to port 80 nat-to $somehost pass proto tcp from 10.0.5.9 to port 1433 nat-to $somehost > P.S. It's been very near time that i started to use OpenBSD as a firewall. > I'm asking this question as a newbie. > Sorry if it is a time wasting question to you. > > Thanks. > Theron ZORBAS general advice: rather than just writing rules, start by working out (and making notes on) what you want the firewall to allow, then *after* you've done this, write some rules. then you can check them against your original notes to make sure they do what you want. keep a copy of these notes, they will help a lot if you leave the config alone for a while and then want to make changes to it after a few months..
