On Mon, Sep 08, 2008 at 07:22:55PM +0200, [EMAIL PROTECTED] wrote: > > > > > You're missing the no-nat rule. This shouldn't break the "reflection" > > traffic but might cause adverse effects for other connections originating > > from your firewall. > > just that ? > no nat on $int_if proto tcp from $int_if to $int_net > > what type of connections coul be broken ?
I never said it would break connetions, I said it could cause adverse effects. Per the PF FAQ: "Care must be taken to prevent the NAT rule from applying to other traffic, for instance connections originating from external hosts (through other redirections) or the firewall itself." Think about how the states are created and how this might affect other traffic. > i have binat rules so i'm afraid my nat rules break it and i must make a > condition > on my nat rule (like nating only from one ip) I think that you don't really understand the rules you're using. If you did, you'd realize this has no effect on your outbound nat/binat rules. > my other is: if i nat on the internal interface > does the traffic could go out on the external interfaces ? > i was reading that pf compare the ip of the interface and ones in the packet > > this migration from iptables to pf on so large farm of server might be > finishing > like in hell ;) You're overthinking this too much. If you're not comfortable with this method, forget it and just use split-horizon DNS. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
