On 10/13/2006 04:26:04 PM, Martin Gignac wrote:
The way I understand it now I guess I have two options: either use simple ingress/egress interface + direction policies (like a NetScreen) but learn to live with the fact that I'll get back ICMP errors if something is blocked, or else use filters on the ingress interface based on destination addresses, but at least the packet drop will be "incognito". :-)
You can probably do what you want by blocking both ingress and egress, filtering on ingress while simultainously tagging for egrees, and then filtering egress based on tags. (Keep state all the while to allow for return traffic.) That's the current "best practice" and is explained somewhere in the pf faq. Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein