Em 17-04-2014 15:08, Henning Brauer escreveu: > * Giancarlo Razzolini <[email protected]> [2014-03-24 15:46]: >> First of all, I hardly see why you want or need to use if-bound, since >> it most likely hurts pf performance. > it doesn't. > > however, if-bound is stupid except very few cases, i. e. on encX. > >> Secondly, the proper way of doing nat, is using match rules, not pass. > sez who? > nat-to on pass rules is perfectly fine. > using a match rule is just more practical in most scenarios. > Yes Henning you're right. I replied in another mail this, I believe you didn't got it. I prefer match because of the flexibility you get. Also, I do work on firewalls with 2, 3 and sometimes, 4 different internet connections and dynamically switches between then upon availability. Using match is much easier in these cases, because you can have one anchor and just change the pass ... route-to rules.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
