On 09/12/2006 05:13:55 PM, Daniel Staal wrote:
Filtering on the other interface will work, but is likely to cause
further headaches figuring out your rules in the future. (It doubles
the complexity of your rules, basically.)
You do not have to nat everything, and you *can* tag on nat, then
filter on the tags. Between the two, you should be able to achieve
the level of control you need.
I always found it easiest to tag on the inbound to the firewall side
of whatever's inititating the connection. I haven't actually
thought about why in a long time but, offhand, I can't think
of another good strategy when working with tags. I guess I'm
assuming a "block everything" default.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
