> > Does a packet being routed from em0 to em1 pass through PF twice? >
PF does both ingress and egress filtering, this explains it far better than I could. http://homepage.mac.com/quension/pf/flow.png > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port > 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 > port > 22 keep state > > block in log inet from any to any > block out log inet from any to any > > > In the second rule this indicates that the packet passes through PF > once > for each interface that it passes through, is this correct? > A filtering rule without direction will match both ingress and egress flows. A PF policy will block by default if the 1st rule is. block log all One way of minimising the number of rules required is to use a tagged generic egress rule on each interface. e.g pass in quick on int1 $TCP .... $KSF tag outbound pass in quick on int2 $TCP .... $KSF state tag outbound . . . . . . pass out quick on int3 .... $KSF tagged outbound where KSF="keep state flags S/SA" TCP="inet proto tcp" Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
