Hi Misc@, While testing my brandnew 4.3-beta AMD64.MP webserver, I apply a simple pf.conf to let some connection in and all out. But something interesting came out, pf actually blocks my webserver googlebot apps originated from the server, which is strange since I use "pass out all". So, I'm wondering if anybody on Misc@ could help me out with this. I appreciate any replies related to this. Thanks,
Insan A. pf.conf ext_if="bge0" set skip on lo set optimization aggressive set ruleset-optimization basic set block-policy drop scrub in all antispoof quick for { lo $ext_if } block log all pass quick on $ext_if inet proto tcp from any to $ext_if:0 port { http, https, ssh } keep state pass quick on $ext_if inet proto udp from abc.def.ghi.241 to $ext_if:0 port snmp pass inet proto icmp from any to $ext_if:0 pass out log all B. PFCTL -s rules scrub in all fragment reassemble block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on bge0 inet6 from fe80::21a:64ff:fe6e:a09a to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! bge0 inet from abc.def.ghi.240/28 to any block drop in quick inet from abc.def.ghi.245 to any block drop log all pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = www flags S/SA keep state pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = https flags S/SA keep state pass quick on bge0 inet proto tcp from any to abc.def.ghi.245 port = ssh flags S/SA keep state pass quick on bge0 inet proto udp from abc.def.ghi.241 to abc.def.ghi.245 port = snmp keep state pass inet proto icmp from any to abc.def.ghi.245 keep state pass out log all flags S/SA keep state C. From tcpdump -ettvi pflog0 1203958253.063557 rule 3/(match) [uid 0, pid 15307] block out on bge0: abc.def.ghi.245.www > crawl-66-249-72-103.googlebot.com.51771: [|tcp] (ttl 64, id 38177, len 1470 -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/