Hi all,
we are on the way to migrate some linux firewall to a pf firewall. After I read
the pf faq and manual pages I'm still not sure whats the best way to replace
iptables "FORWARD" rules.
It seems to me that I need one "in" and one "out" rule for each FORWARD rule.
Is this right ?
Is it ok to use something like:
------------------------------------------
block all
pass out keep state
pass in on fxp0 proto tcp from any to 1.2.3.4 port {80,443} synproxy state
------------------------------------------
Or whould the prefered way be:
------------------------------------------
block all
pass in on fxp0 proto tcp from any to 1.2.3.4 port {80,443} synproxy state
pass out on fxp1 proto tcp from any to 1.2.3.4 port {80,443} synproxy state
------------------------------------------
I ask because If i need to write 2 rules for each forward the config will get
really big.
Thx
Norman
