Stephan A. Rickauer wrote:
Gaby vanhegan wrote:
Yes, correct, my bad... Or perhaps this would work also:
block out on $if_dmz keep state
pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
keep state
Maybe that was what I intended to write... :)
Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
look like. Presumably, they won't be structured as efficiently as if one
writes them by hand - but managing hundreds of rules manually is a
nightmare ...
Thanks so far,
Hello,
I think you know the following, but nevertheless its important if you
port your rules from netfilter to pf.
In netfilter nat and filter rules are checked with:
first match wins.
In pf nat rules also the first match wins
__but__
in pf filter rules the __last__ match wins.
In fact that is the one thing I don't like in pf, but to have a "first
match win" you can use the magic word quick in all your pass and block
rules. (e.g "pass in quick")
guido
