On Sunday 18 May 2008, Steve B wrote:
> set loginterface $ext_if
> set state-policy if-bound
> set skip on lo0
> set skip on enc0
Don't know exactly but for starters Unless you have good reason for
changing some things from the default I would recommend rewriting the
above by dropping both:
================
set loginterface $ext_if
set state-policy if-bound
================
Unless you can explain why you don't want the default of "floating" for
state-policy, maybe it's a good idea not to screw with it.
Also, just to clean up, the next two lines can be combined:
================
set skip on { lo0, enc0 }
================
Of course, if you're not tunneling ("ifconfig -A" shows no enc0) then
you don't need to skip the interface.
Also, and I don't claim to be an expert, but if you're running a recent
version of OpenBSD then drop all of your keep/synproxy/modulate/flags
qualifiers, especially during troubleshooting. PF will, by default, use
the normally proper state options ("keep state" for udp, and "flags
S/SA keep state" for tcp). And my guess is that "synproxy state" is
only really useful for inbound connections on the external interface to
inside public IP address/port destinations (welcome for any
clarification from the experts on this), if so it seems out of place
here.
Remember, you can always gum the works up after you get it working :)
--
Chris
