Norman Maurer <[EMAIL PROTECTED]> writes: > It seems to me that I need one "in" and one "out" rule for each > FORWARD rule. Is this right ?
not necessarily. you can have rules which are not explicitly bound to an interface, such as webserver = "194.54.107.19" webservices = "{ www, https }" block all pass proto tcp from any to $webserver port $webservices synproxy state (bah, untested, but you get the idea) In fact, for traffic you just want to pass through your gateway you can unclutter your rule set significantly this way. For setups where you need to pass traffic in on a specific interface (or interface group) and out on a some other specific interface or group, it's a different story of course, but PF lets you do the less complicated things in very straightforward ways. This is the kind of stuff I rant about extensively in the tutorial at http://home.nuug.no/~peter/pf/, btw (but it's got other things as well) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.