Daniel Hartmeier wrote:
Each packet is filtered on both interfaces, the internal one and the
external one. On the external one you'll be seeing already translated
packets, on the internal one not-yet (or back-)translated packets.
I think that is the crux of my confusion. For example, I thought that a
packet matching:
pass in on $int_if from $int_if:network to any keep state
and no other rules would be automatically passed out on the external
interface. In other words, you're saying that the pf rules are evaluated
once per interface, whereas I thought it was once, period. That clears
up everything. Well, regarding pf, at least :)
Maybe it would be helpful to have an ASCII diagram or one or two
sentences with an example in the FAQ showing exactly how a packet
traverses a multi-interfaced host (or is this already explained?); I'm
sure I can't be the first person to stumble on this issue.
Thank you,
Gabriel
