On Fri, 11 Apr 2008, Ermal Lu?i spaketh thusly: -}What's wrong with only in rules?! -} -}You can do the same blocking as you would do with out and just save -}your computer from blocking the packet after traversing the whole -}machine!
Blocking out has different uses. As a simple and not uncommon example, you may have a net that has a mail server on it. You need to allow hosts on the net a fair amount of freedom but for any of several good reasons only the mail server can make outbound SMTP connections. In this case you cannot block source ports because you have no idea what the source port will be, other than most likely a high port(which indeed has quite a range). You cannot block source address because the hosts need to get out for a variety of reasons. You cannot block dest addresses because, well, the connection can be to anywhere. I think the only real way to do this is to block dest ports tho' I've been wrong before. If you have another way I'm all ears because I really like pfsense and think much good work has been done on it. It just can't do what we need. -- Randy ([EMAIL PROTECTED]) 765.983.1283 <*> Love with your heart, think with your head; not the other way around.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
