On Wed, 04 Jul 2007 12:55:34 +0200, [EMAIL PROTECTED] (Peter N. M. Hansteen)
wrote:
> Norman Maurer <[EMAIL PROTECTED]> writes:
>
>> It seems to me that I need one "in" and one "out" rule for each
>> FORWARD rule. Is this right ?
>
> not necessarily. you can have rules which are not explicitly bound to
> an interface, such as
>
> webserver = "194.54.107.19"
> webservices = "{ www, https }"
>
> block all
> pass proto tcp from any to $webserver port $webservices synproxy state
>
> (bah, untested, but you get the idea)
>
> In fact, for traffic you just want to pass through your gateway you
> can unclutter your rule set significantly this way.
>
> For setups where you need to pass traffic in on a specific interface
> (or interface group) and out on a some other specific interface or
> group, it's a different story of course, but PF lets you do the less
> complicated things in very straightforward ways.
>
> This is the kind of stuff I rant about extensively in the tutorial
> at http://home.nuug.no/~peter/pf/, btw (but it's got other things as well)
>
> - P
Thx for the tip. This was workin very well.
The only problem I noticed was that we had some connection problems when using
synproxy in front of our webserver. So i replaced it by keep state. Any idea if
this is a know "bug" ?
bye
Norman
