On 2014-04-07, Christophe <[email protected]> wrote:
[..]
Let's ignore the siproxd side of things and just look at the ruleset.
>> set skip on lo
>> set loginterface pflog0
>>
>> block in on ! lo0 proto tcp to port 6000:6010
>>
>> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
>>
>> pass in on em1 inet proto tcp from 172.18.160/24 to any port { 80, 443 }
>> keep state
>> pass in on em1 inet proto icmp from 172.18.160.0/24 to any keep state
>>
>> pass in on em0 inet proto tcp from any to em0 port 22 keep state
>> pass in on em0 inet proto icmp from any to em0 keep state
>>
>> # Here is the rule I try to use .
>> pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
>> divert-to 172.18.160.252 port 5060
>>
>> pass in on em0 inet proto udp from any to em0 port 5060 keep state
>> pass in on em0 inet proto udp from any to em0 port 17030:17080 keep state
You have no "pass" or "block" rules for any outbound traffic so the implicit
default is used for outbound traffic - this is "pass all no state" - I would
start the ruleset with an explicit "block" and then perhaps "pass out" if
that's what you want.
