2009/2/25 patrick keshishian <pkesh...@gmail.com>: > On Tue, Feb 24, 2009 at 9:48 PM, Hilco Wijbenga > <hilco.wijbe...@gmail.com> wrote: >> 2009/2/23 Jason Dixon <ja...@dixongroup.net>: >>> ########################################################## >>> 00 ext_if = "sk0" >>> 01 int_if = "sk1" >>> 02 >>> 03 set skip on lo >>> 04 >>> 05 scrub in >>> 06 >>> 07 nat on $ext_if from $int_if:network to any -> ($ext_if:0) >>> 08 >>> 09 block in log all >>> 10 pass in on $int_if inet keep state > > # I think you are missing a pass out on $ext_if rule > 11 pass out on $ext_if > > w/o 11 all inbound packets are blocked by 09. > > --patrick
Please correct me it I'm wrong, but my understanding is that Jason's line 09 is only blocking packets that traverse interfaces in the *inward* direction (i.e. from the attached networks (WAN and LAN) *in*to the OpenBSD box). And I think that's why a "pass out" rule would be unnecessary, as the default is to pass packets. Again, take this with truckloads of salt; I could be wrong, but I trust Jason. The things David and Jean-Francois wrote below strike me as much more promising and useful for of figuring out why Hilco didn't have success with Jason's ruleset. regards, --ropers
