You know, you're right. I was thinking on the way into an interface, not on the way out. But, why not try this:
# hme0 - internet # hme1 - internal # to allow traffic destined for the firewall pass in quick on hme1 from 10.0.0.0/8 to 10.0.0.1/32 # block traffic that's trying to leave block in on hme1 from any to 10.0.0.0/8 block in on hme1 from any to 192.168.0.0/16 Whouldn't that work for you ? Also, if you're NAT-ing everything, why would anything ever leave your network with a non-routable IP ? [ rest of email deleted, per your request... ]
