Thanks Peter.. All the rules work now..
Thitiporn On 4/1/06, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote: > IMS <[EMAIL PROTECTED]> writes: > > > I 've already enable gatewaying and NAT rule on my firewall. If I allow > > all traffic pass the pf (pass all). All connection work well. > > Pass all should not be necessary, unless, of course, really want to. > > However, I tend to argue that rules should be interface specific only if > they really need to be. > > Your rule > > pass in quick on $inh_if proto tcp \ > from $inh_addr to $stg_addr port 80 keep stat > > really only passes traffic to the gateway, and won't do you much good > unless there's also a rule which lets the traffic pass out through > $stg_if to $stg_addr. > > For cases like this, rolling it all into one rule would possibly meet > your functional specs and help make your rule set more readable and > maintainable in the long run. That is, I have a felling something like > > pass proto tcp from $inh_addr to $stg_addr port http keep state > > would serve you better in the end. > > My rant about this is at http://www.bgnett.no/~peter/pf/en/basicgw.html > (part of a PF tutorial). > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" > 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 > seconds. > >
