Would I need the quick though? I would think you want pf to keep evaluating the rules after they enter the int interface. ________________________________________ From: Adriaan [[email protected]] Sent: Monday, November 07, 2011 6:09 PM To: Bentley, Dain Cc: Patrick Lamaiziere; [email protected] Subject: Re: PF.CONF - with DMZ and packet tagging example
On Mon, Nov 7, 2011 at 11:59 PM, Bentley, Dain <[email protected]> wrote: > I guess I should add quick to the following: > block in on $ext from $RFC1918 to any > block out on $ext from any to $RFC1918 > block in on $ext from <bastards> > > > ________________________________________ > From: Patrick Lamaiziere [[email protected]] > Sent: Monday, November 07, 2011 5:37 PM > To: [email protected]; Bentley, Dain > Subject: Re: PF.CONF - with DMZ and packet tagging example > > Le Mon, 7 Nov 2011 16:58:29 -0500, > "Bentley, Dain" <[email protected]> a icrit : > > Hello, > >> block in on $ext from <bastards> >> #NAT INBOUND TO DMZ >> pass in on $ext proto tcp from any to any port $web_services rdr-to >> $webserver tag INET_TO_DMZ >> pass in on $ext proto tcp from any to any port $mail_services rdr-to >> $mailserver tag INET_TO_DMZ > > Looks not good, missing quick in the block rule? > > Regards. > You should also consider the advice I gave in http://www.daemonforums.org/showthread.php?t=6483#post41274 Adriaan
