On 03-09-2014 09:08, andy wrote:
> The DMZ was just an example.. We can call it anything ;)
>
> I'm just trying to ask why this doesn't work;
>
> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>
> It gets a PF syntax error? Why?
>
>
> Thanks for your time, Andy.
I replied before without access to a OpenBSD machine. Now I've checked
the pf.conf man page (again). The BNF syntax for the tagged keyword
expects a string for the tag name. You can't use a list { }. That's why
you can't use that rule and pfctl will throw a syntax error. I will
check the source code latter today to see if it's even feasible to do
this. Perhaps some pf developer can weigh in.Now, your example probably wasn't the best one. Mixing internal network with dmz rules is not a good idea. You are prone to either blocking legitimate packets from the internal network or you can end up allowing things into your dmz that weren't supposed to get there. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
