On 10/14/06, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
You can probably do what you want by blocking both ingress and
egress, filtering on ingress while simultainously tagging for
egrees, and then filtering egress based on tags. (Keep state
all the while to allow for return traffic.)
That's the current "best practice" and is explained somewhere
in the pf faq.
You're right: I'm realizing that block-dropping on ingress as well for
specific subnets is the price I have to pay if I want to avoid ICMP
unreachables. It was just that I was originally trying to avoid having
to pay that price as I'm not used to it on the NetScreen which I'm
familiar with. However, Daniel's explanation clearly showed me the why
of this behavior.
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
