Max Laier wrote: > On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote: >> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. >> >> ep0: 1.2.3.4/24 >> bge0: 10.0.0.1/24 >> >> ruleset (made as simple as possible): >> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 >> block drop out log quick on ep0 all >> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state >> >> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 >> and passes because of rule 1. >> Then the packet goes out via bge0, is passed via rule 3 and a satte entry >> is created. >> >> The return SYN/ACK comes in via bge0 and passes because of the state entry. >> >> Then the packet should be sent out via ep0, but it is blocked, as pflogd >> shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 > > > There is no state entry and no rule that would allow traffic to be sent out > via ep0. You either have to create state on ep0 or you must allow traffic on > ep0 in both directions. I think the ruleset you are looking for is something > along the lines of: > > block drop all > > pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA > pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA >
The OP didn't like that answer when I gave it to him. Maybe you've managed to provide a more felicitous wording. ;-) --Jon Radel
smime.p7s
Description: S/MIME Cryptographic Signature
