View Single Post
  #5   (View Single Post)  
Old 27th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  1. The last rule that matches will be in effect. Your two block all rules:
    Code:
    # Deny Policy
    block in log all
    block out log all
    are after 4 of your pass rules: your binat pass, your nat pass, and your 2 rdr pass rules. These rules will never be used.
  2. These rules work, but they can be replaced with set skip on lo0:
    Code:
    # Traffic Loopback
    pass in quick on lo0 all
    pass out quick on lo0 all
I cannot determine from your configuration file what traffic you do not want redirected. For lack of information, let us pretend, for a moment, that your original request at the top of this thread was in reference to this particular rule:
Code:
pass in on $ext_if proto tcp from any to $srv03_ext port 80 rdr-to $srv04_int port 80
Now that rule will never be applied, per your error above. But, if you move your default deny above it, it can then redirect traffic from any IP address. Let us also pretend that you have a table called <adm> that you do not want to redirect to $srv04_int port 80. Add a second rule, after this first rule:
Code:
pass in on $ext_if proto tcp from <adm> to $srv03_ext port 80
Is this clear? The first rule is the general case. The second rule is the narrower case, and the last matching rule applies. For addresses in the <adm> table, rdr-to will not apply.
Reply With Quote