On Wed, 13 May 2015 00:36:54 +0200 Dennis Steinkamp <[email protected]> wrote:
> > 1.) block all > 2.) set skip on lo > 3.) match out on egress inet from $int_net nat-to egress > 4.) pass in on $int_if from $int_net to *any* > 5.) pass out on $ext_if from $ext_if to any It is also good practice to block spoofing attacks, both from without and from anyone within your own networks. antispoof $int_if antispoof $ext_if block in on $int_if from !$int_net to any There's an rfc for this but I don't recall the number. Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
