>> # policy: default allow on all outbound traffic on all interfaces >> pass out > > Guess what's this part is doing. It enables any traffic from your > router to outside world and will open appropriate ports back to your > network.
OK. That makes sense, but all inbound traffic is dropped... so while all outbound traffic on any interface is permitted, and inbound traffic is passed... or does the combination of this rule and and my 'block in log' rule not provide this behavior? It is my understanding that you can block on an interface in one of two directions: either the inbound traffic or the outbound traffic. The result should be the same either way right? You either block the inbound traffic of a connection or you block the return traffic. Conceptually, it made more sense to me to just block inbound traffic. Perhaps I'm just being obtuse but how would allowing all outbound traffic to pass through any of the interfaces, automatically open the appropriate ports open on the inbound side? For example: if I make ssh listen on *.ssh instead of just localhost and my internal interface, I should then be able to access it form the outside directly at port 22 (i.e., with the redirection rule), however this does not seem to be the case as I get a connection refused error if I do this. I feel like this is pretty close to the issue - I have probably fundamentally misunderstood the interactions between my "block in log" rule and "pass out" rule. Thanks for everyone's relies and advice.
