IMS <[EMAIL PROTECTED]> writes:
> I 've already enable gatewaying and NAT rule on my firewall. If I allow
> all traffic pass the pf (pass all). All connection work well.
Pass all should not be necessary, unless, of course, really want to.
However, I tend to argue that rules should be interface specific only if
they really need to be.
Your rule
pass in quick on $inh_if proto tcp \
from $inh_addr to $stg_addr port 80 keep stat
really only passes traffic to the gateway, and won't do you much good
unless there's also a rule which lets the traffic pass out through
$stg_if to $stg_addr.
For cases like this, rolling it all into one rule would possibly meet
your functional specs and help make your rule set more readable and
maintainable in the long run. That is, I have a felling something like
pass proto tcp from $inh_addr to $stg_addr port http keep state
would serve you better in the end.
My rant about this is at http://www.bgnett.no/~peter/pf/en/basicgw.html
(part of a PF tutorial).
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
