Em 18-03-2014 15:19, Friedrich Locke escreveu: > Hi folks, > > i am studying pf and a doubt arose! > > Since my state policy if if-bound (set state-policy if-bound) i need two > rules for each traffic i want to pass. Is that understanding right ? > > For instance, for nat i could : > > pass out on tl0 from dc0:network to any nat-to tl0 > > pass in on dc0 from dc0:network to any > > Is this understanding correct ? Or only the first rule is ok? > > Thanks. > First of all, I hardly see why you want or need to use if-bound, since it most likely hurts pf performance. Secondly, the proper way of doing nat, is using match rules, not pass. And, even with match rules, you need 2 rules anyway:
match out on tl0 from dc0:network to any nat-to (tl0), tl0, gw ip, whatever pass in on dc0 from dc0:network to any If you want better control of what passes in which interfaces, I believe you are better served using tags than using if-bound and always duplicating yourself. You're less error prone. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
