On 2010-06-14, william dunand <william.dun...@gmail.com> wrote:
> Well this rule-set's purpose is just to illustrate the "problem".
Ah, for that we can go simpler:
pass log
match
Now you would expect any outgoing traffic to be logged. It isn't.
I've sent a PR for this so it's not lost - it will probably be
kernel/6401.
You don't need it for your requirements though:
> ### Ext outbound ###
> match out on $ext_if from any to any queue (q_low, q_max)
> ... bunch of pass out on $ext_if from something to something ...
add "block out log on $ext_if proto tcp to port 25" here
> pass out on $ext_if proto tcp from {A, B} to any port 25
> match out on $ext_if from $somewhere to any nat-to $something
move this nat-to rule above the pass rule/s that it needs to apply
to.
in general (excepting the bug demonstrated above), match rules
don't affect preceding rules.
