They are two separate actions. The 'rdr pass' rule allows connections to port 80 (in other words: no additional filter rules are involved or consulted) and triggers the redirection (translation), the second 'pass out' rule concerns the subsequent 'new' translated connection, caused by the redirection. Sure, it feels like you're doing the same thing twice, but to pf, these are two entirely separate entitities which need their own rules.
|