View Single Post
  #6   (View Single Post)  
Old 1st December 2008
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

You're looking for something along these lines...

Code:
#STMT 1
nat on $ext_if inet tagged MYIN2OUT -> ($ext_if:0)
#
# STMT 2
pass in log quick on $int_if inet \
 from ($int_if:network) to any \
 tag MYIN2OUT \
 keep state
#
# STMT 3
pass out log quick on $ext_if inet \
 tagged MYIN2OUT \
 keep state
#
In the order of precedence, your traffic originating on your $int_if:network and destined for the internet is FIRST inspected and passed by SMTM#2, then NAT translation occurs by STMT#1, and is then inspected and passed by STMT#3.

The use of tag/tagged means you -- the pf.conf author -- don't need to know the real IP source/dest translations at the point of each statement to write a clean (and leak-proof) pf.conf.


/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 1st December 2008 at 09:53 PM.
Reply With Quote