Selon Jason Dixon <[EMAIL PROTECTED]>:
> > I never said it would break connetions, I said it could cause adverse > effects. Per the PF FAQ: > > "Care must be taken to prevent the NAT rule from applying to other > traffic, for instance connections originating from external hosts > (through other redirections) or the firewall itself." > > Think about how the states are created and how this might affect other > traffic. ok > > i have binat rules so i'm afraid my nat rules break it and i must make a > > condition > > on my nat rule (like nating only from one ip) > > I think that you don't really understand the rules you're using. If you > did, you'd realize this has no effect on your outbound nat/binat rules. ok maybe i overthinking, like u said below, i don't want to in problems the night we put in production > > > my other is: if i nat on the internal interface > > does the traffic could go out on the external interfaces ? > > i was reading that pf compare the ip of the interface and ones in the > packet > > > > this migration from iptables to pf on so large farm of server might be > finishing > > like in hell ;) > > You're overthinking this too much. If you're not comfortable with this > method, forget it and just use split-horizon DNS. > the rules was pretty easy to find with a fresh brain, except the no nat things ! i think i will keep this method, as we can't play with split method thanks jason for ur help
