[EMAIL PROTECTED] (Camiel Dobbelaar) wrote in > > To answer your question: data connections go _through_ the firewall, > so both an 'in' and 'out' pass rule are needed. >
I think I got confused in the same way like Gabriel recently in the other thread (clarification of the NAT behaviour) - I assumed that even in a multihomed host, the filtering rules apply only once, and all translating rules happen before (therefore, if such situation was true, the anchored pass in would never happen). Now I guess it's clear - anchored pass in on $int happens before anchored nat rule - am I thinking right ? Although shouldn't nat precisely specify the interface then ? (or is it that nat rules apply *only to* outbound traffic and rdr *only to* inbound traffic ?) This leads to another question - if we have effectively two rules - one pass in, one pass out, both using keep-state, and both apply to the same packets - first coming into on some interface and then leaving on some other one, does it mean that two states will be created ? Btw, any hints on my other question (company example re: bandwidth management) ? -- [EMAIL PROTECTED] - remove X to reach me