hi list,
just wanted to ask some pf folks here. is there a way to skip
(bypass) filtering for just no nat statements? I'm currently working
on some rules in which i need to have some servers on the other side
of my fw to talk to internal machines without any translation
(application performance issue). now i've setup my rule to work as
follows:
$rnet_lan="10.0.200.0/24"
$rnet_wan="192.168.10.0/24"
no nat on { $int_if, $ext_if } inet from $rnet_lan to $rnet_wan
no nat on { $ext_if, $int_if } inet from $rnet_wan to $rnet_lan
nat pass on $ext_if inet proto {tcp, udp, icmp} $rnet_lan to any -> $ext_if
# To let rnet_lan and rnet_wan talk to each other without any filtering
pass in quick from any to $rnet_wan
pass out quick from any to $rnet_wan
pass in quick from $rnet_wan to any
pass out quick from $rnet_wan to any
pass in on $int_if inet proto tcp from $rnet_lan to any port 80
pass out on $ext_if inet proto tcp from ($ext_if) to any port 80
As soon as I put in a rule below for some weird reason, when i access
PC's on the $rnet_wan. it gets filtered by pf.
any comments or improvements that any can recommend will be greatly appreciated.
thanks,
-pf
