On 10/13/2006 04:26:04 PM, Martin Gignac wrote:
The way I understand it now I guess I have two options: either use
simple ingress/egress interface + direction policies (like a
NetScreen) but learn to live with the fact that I'll get back ICMP
errors if something is blocked, or else use filters on the ingress
interface based on destination addresses, but at least the packet drop
will be "incognito". :-)
You can probably do what you want by blocking both ingress and
egress, filtering on ingress while simultainously tagging for
egrees, and then filtering egress based on tags. (Keep state
all the while to allow for return traffic.)
That's the current "best practice" and is explained somewhere
in the pf faq.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
