Em 24-03-2014 19:28, Alexander Hall escreveu: > On 03/24/14 15:44, Giancarlo Razzolini wrote: > >> Secondly, the proper way of doing nat, is using match rules, not pass. > > Why would you say that? 'pass ... nat-to ...' makes perfect sense to > me. Using "match" was an easy transition from the old nat rules, but > being "*the* proper way", no way. > > /Alexander Yes, you are right. You can condense everything in one rule. But, I prefer using match, because I can decouple the nat part from the filter part. I can have a broader match rule that allow nat for the entire network and all the protocols and ports, and I can filter individually things with pass rules. One of the things that I love the most about unix is that there are many ways to do things. And you can do things the way you taste better. Sorry if I was too strong in my opinion.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
