* Mike Belopuhov <m...@belopuhov.com> [2016-06-20 00:33]: > rdr-to/nat-to are not checked on purpose. i'm not certain about > route-to/reply-to.
indeed, rdr-to/nat-to in the "unnatural" direction DO work, with caveats. route-to and af-to are different. as others already pointed out the check should be != PF_IN and not == PF_OUT, to catch unspecified direction. With that, ok with me. > as far as i'm concerned, af-to should be restricted to "pass in". > but it would be nice to know if "pass out route-to" and "pass in > reply-to" produce working configurations to restrict them as well > if they don't. ack - I dunno either otoh -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
