Qick backgroud to solicit examples: I am building a three-legged firewall to protect a Windoze based network.
This is my first three-legged race. Sitting in my DMZ is a Windows VPN server, which needs to send/receive PPTP and GRE traffic. I am working through the pf-faq.pdf right now. I'm either starting to understand the way the flow of pf works - or I'm totally lost. In the pf-faq, under the Packet Tagging section (Policy Filtering), there is an example which passes traffic onto a DMZ network. However, If I am starting to understand this, it would seem that the example is missing an rdr statement to redirect the web and mail into the DMZ. There are "pass" statements for the web and mail - but I don't think that they would actually take care of getting that traffic to the specified servers. Am I wrong? The other thing that sort of confuses me right now is that there appear to be tags in use before they are assigned. This is probably the way it works, but it seems counter intuitive to me. I'm not understanding the program flow - I guess I would have to put my "C" hat on and dive into the code to really understand it (or thoroughly confuse myself). But in short - I think my question regarding that would be: is it ok to have a "tagged" line in the pf.conf prior to having a matching "tag" created? thanks to anyone who assists me with this - example pf.conf files of similar three-legged or VPN pass through configurations are very welcome! -- 010101010101010101010101010101010 010101010101010101010101010101010 0101010101 Meta Junkie 101010101010 010101010101010101010101010101010 010101010101010101010101010100101