Norman Maurer <[EMAIL PROTECTED]> writes:
> It seems to me that I need one "in" and one "out" rule for each
> FORWARD rule. Is this right ?
not necessarily. you can have rules which are not explicitly bound to
an interface, such as
webserver = "194.54.107.19"
webservices = "{ www, https }"
block all
pass proto tcp from any to $webserver port $webservices synproxy state
(bah, untested, but you get the idea)
In fact, for traffic you just want to pass through your gateway you
can unclutter your rule set significantly this way.
For setups where you need to pass traffic in on a specific interface
(or interface group) and out on a some other specific interface or
group, it's a different story of course, but PF lets you do the less
complicated things in very straightforward ways.
This is the kind of stuff I rant about extensively in the tutorial
at http://home.nuug.no/~peter/pf/, btw (but it's got other things as well)
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
