On 07/04/2007 03:54:57 AM, Norman Maurer wrote:
Hi all,
we are on the way to migrate some linux firewall to a pf firewall.
After I read the pf faq and manual pages I'm still not sure whats the
best way to replace iptables "FORWARD" rules.
It seems to me that I need one "in" and one "out" rule for each
FORWARD rule. Is this right ?
Right-ish, but there's better ways.
Or whould the prefered way be:
------------------------------------------
block all
pass in on fxp0 proto tcp from any to 1.2.3.4 port {80,443} synproxy
state
pass out on fxp1 proto tcp from any to 1.2.3.4 port {80,443} synproxy
state
------------------------------------------
block all
pass in on fxp0 proto tcp from any to 1.2.3.4. port {80.443} \
tag WEB \
synproxy state
pass out quick on fxp1 tagged WEB
More likely you'd use very general tags, like "internet traffic"
(e.g. "tag NET") to pass broad classes of traffic out of an
interface. That way there's only a few extra rules.
The phrase for this is "policy based". As the traffic comes
in you pass it and assign it a policy (a tag), then you
use the policy to let it out of the box.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
