Re: rdr vs pass

[Mike Piety <mrp@piety.ath.cx>]

On Tue, 1 Mar 2005 15:26:56 -0600 
"Rolen, Mark E." <MERolen@apacmail.com> wrote:

> I'm unsure as to why you'd ever rdr traffic that you intended to
> block, so it used to peeve me to have to create pass rules to cover
> what I'd already redirected.  I was glad to see "rdr pass" come along.
>  Granted, I'm *not* a
> professional firewall guy, so there may be legit reasons to rdr and
> then block, and if so, I'd be curious to know 'em.
> 

The only thing I rdr pass for is spamd running on the firewall

>  
> 
> -----Original Message-----
> From: jabbott@abbotts.org [mailto:jabbott@abbotts.org] 
> Sent: Tuesday, March 01, 2005 3:14 PM
> To: Rolen, Mark E.
> Cc: misc@openbsd.org
> Subject: RE: rdr vs pass
> 
> 
> Right, that is what he is talking about.  What I am asking is; is this
> a good thing?  
> 
> --ja
> 
> On Tue, 1 Mar 2005, Rolen, Mark E. wrote:
> 
> > 
> > >On Tue, 2005-03-01 at 14:38:57 -0600, jabbott@abbotts.org
> > >proclaimed...> What is the opinion of the list?
> > >To redirect traffic IN on one interface OUT another, you need rdr.
> > >To permit this behavir, you ALSO a rule to permit/deny/etc.
> > 
> > 
> > 
> > In newer versions of pf, you can just:
> > 
> > rdr pass on $ext_if ....
> > 
> > and skip creating pass rules to cover the rdr.
> > 
> > Regards,
> > Mark
> > 
> > 
> >  
> > 
> 
> --