> Do the machines on the inside of the firewall have private > addresses?
Yes. > Perhaps a transparent firewall will work if the internal > machines also have public addresses. I'd love to be able to do this! :) However there are some unique requirements this network brings which make public IP consumption unworkable. > Can you could make use of the filter directive "route-to" to > route packets to a different network? > > nat on $ExtIf from !($ExtIf) to any -> ($ExtIf:0) > > rdr on $ExtIf from any to ($ExtIf) port www -> 10.10.10.100 \ > port www > > pass in on $IntIf route-to { ($ExtIf_1 $ExtGw_1) } proto tcp \ > from $IntNet to any port www As I understand it, I don't think this will work for me as it "breaks" the advantages of running a dynamic routing protocol to select the nearest-exit, but I'll need to think a little more on this. I'm also wondering if there's a creative way to use tags... > It also sounds like you could make use of anchors in pf. With > an anchor you can add remove nat, rdr or filter rules on the > fly. Ah! Yes indeed. Great idea, and could be quite handy. Elegant too. But I'll certainly need to study performance characteristics of using anchors during a heavy load of table-management operations -- perhaps 10's of operations per second on a table of 500,000 entries/mappings. (operations, like inserts or deletes) > OpenBSD Pf Firewall "how to" ( pf.conf ) > http://calomel.org/pf_config.html Fantastic site, btw! I've already bookmarked it. :) -Adam