Code:
pass in on egress proto tcp to 192.168.0.2 port 80 keep state \
(max 200, source-track rule, max-src-nodes 100, \
max-src-states 3)
Works perfect.
Then I need to change web server back to nat/firewall pc, for stability it is always one, and to free up hardware and unbound dns and splitt dns was a pain for now to figure out.
Code:
pass in on egress inet proto tcp from any to (egress) port 80
pass in on egress proto tcp to 192.168.0.1 port 80 keep state \
(max 200, source-track rule, max-src-nodes 100, \
max-src-states 3)
Does not give as efficient protection. Reduce the php-fpm spam with 60 % but not 99 % as the top example and network, and hardware setup)
How to force port 80 traffic reaching the firewall, to go trough the pf filter, like before?