Hi Christer,
I followed the example from the handbook. Yes, it is OK to divert in and
out separately. skipto is used to point to the divert out rule number
when it is outbound.
I run into problem only when with natd to redirect from gateway to local
machine. tcpdump shows that packets of both directions are actually go
through fine, but only head is there, body was ripped off. I am looking
into OpenBSD's PF right now. It is such a simple goal to reach but seems
not so easy.
-Chen
* Christer Hermansson [EMAIL PROTECTED] [081017 14:54]:
Chen Xu wrote:
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
You use in via $pif, I'm not 100% sure but I think you should only use
via $pif.
# Authorized inbound packets
$cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit
src-addr 5
I think it's bad to use statefull rules for inbound connections.
--
Christer Hermansson
http://www.chdevelopment.se
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
