Code:
# forward web traffic to webserver (trac)
rdr on $ext0 proto tcp from any to ($ext0) port 80 -> $webServer
From man pf.conf
Code:
Packets that match a translation rule are only
automatically passed if the pass modifier is given, otherwise they are
still subject to block and pass rules.
And from the pf users guide
Quote:
NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based on the filter rules that have been defined.
The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the redirected packets will pass statefully right through the filtering engine: the filter rules won't be evaluated against these packets. This is a handy shortcut to avoid adding pass filter rules for each redirection rule. Think of it as a normal rdr rule (with no pass keyword) associated to a pass filter rule with the keep state keyword. However, if you want to enable more specific filtering options such as synproxy, modulate state, etc. you'll still have to use a dedicate pass rule as these options don't fit into redirection rules.
|