On Tue, 02 Sep 2014 18:33:02 -0300, Giancarlo Razzolini
<[email protected]> wrote:
> On 02-09-2014 17:12, andy wrote:
>> So why does;
>> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>>
>> NOT expand out to;
>> pass out quick on $if_ext tagged T_LAN keep state
>> pass out quick on $if_ext tagged T_DMZ keep state
> I didn't tested. But if I recall correctly, that rule will expand
> exactly as you want them to. But I disagree with you. I think you should
> separate the rules for the internal network from the dmz. Even if they
> are physically on the same interface (vlan), they should be on separate
> rules. You could even use separate anchors with a file for the internal
> net and another for the dmz. There is a point when too much
> simplification starts getting into the way of doing things securely.
> Which is what OpenBSD is all about. If you really, really want to
> "simplify" your ruleset, you could first write it with security in mind,
> then use the pf's ruleset optimizer, and then use the optimization as a
> starting point.
>
> Cheers,
The DMZ was just an example.. We can call it anything ;)
I'm just trying to ask why this doesn't work;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
It gets a PF syntax error? Why?
Thanks for your time, Andy.
