On Wed, Dec 13, 2006 at 06:31:10PM +0100, Daniel Hartmeier wrote: > > pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state > > The point of this is that you can control _which_ interface(s) a > connection must flow through, instead of granting a permission to pass > any and all interfaces.
Or, you can specify no interfaces, which is okay to do _if_: 1) Both interfaces have only directly attached networks (that are static) 2) antispoof is on for both interfaces Some guy's guide out there for pf fails to take this into account. If there's a static "default" route on an interface, you really can't omit that interface from any rules, because both conditions are false. -- A: No. Q: Should I include quotations after my reply? <URL:http://www.subspacefield.org/~travis/> -><-
pgpoWglC5yYBe.pgp
Description: PGP signature
