Thank you Greg. It works now and am happy. Michael
On Sat, Mar 16, 2013 at 5:44 AM, Greg Troxel <g...@ir.bbn.com> wrote: > > Michael David <servers.da...@gmail.com> writes: > > > I want to allow ALL outgoing traffic on wm0 and only allow ssh and http > in > > on wm0 > > > > My rules are as follows: > > * > > pass out quick on any all *//this I believe will take care of lo0 > also* > > > > pass in quick on wm0 proto tcp from any to any port = 22 keep state > > pass in quick on wm0 proto tcp from any to any port = 80 keep state* > > Your basic issue is that you need to allow replies to outgoing traffic. > > So, my advice: > > do not use quick. that's a preference, but I like last match > > basic setup: > > pass out keep state > block in > pass in port 22 > > so then all outgoing packets are allowed, and the pass out will set up > perflow dynamic allow rules to let replies back in. > > you may also want keep frags somehow. I'm fuzzy on the details, but in > the modern world you may see fragments coming back to dns queries due to > dnssec key records >
