* Claudio Jeker <cje...@diehard.n-r-g.com> [2009-11-13 18:19]: > > nat-to and rdr-to on pass rules are only applied if it is the last > > matching rule. for match rules they're always applied. > Maybe something like this. The result are that you need to have a > "pass tagged FTPTAG" rule after the anchor (or one rule per direction) or > the traffic may be blocked.
we could add a "pass tagged FTPTAG" rule in that case, or just document the fact. the assumption is that you want to do something with the packets afterwards if you are tagging, so i tend to "just document". -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
