View Single Post
Old 23rd December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,472

Originally Posted by psypro View Post
pass in on egress proto tcp to  port 80 keep state   \
                  (max 200, source-track rule, max-src-nodes 100, \
                   max-src-states 3)
Works perfect.
I assume that is a webserver inside your local network, such as:
{Internet} - a.b.c.d - [Router/PF] - - {LAN} - - [Wordpress server]
Then I need to change web server back to nat/firewall pc, for stability it is always one, and to free up hardware and unbound dns and splitt dns was a pain for now to figure out....How to force port 80 traffic reaching the firewall, to go trough the pf filter, like before?
I assume now that you want to move the webserver into your router, such as:
{Internet} - a.b.c.d - [Router/PF/Wordpress]
If so, your second pass rule will never match any Internet traffic. The local network address is not used by any traffic from or to the Internet. Put your stateful tracking options on the first rule, and delete the second rule (unless you need it to permit local traffic to your webserver).

Last edited by jggimi; 23rd December 2016 at 03:06 PM. Reason: typos, clarity
Reply With Quote