On Tue, Nov 19, 2002 at 10:00:08PM -0800, Ed Herkel wrote: > block out log all > block in log all > block return-rst in log inet proto tcp all > block return-rst out log inet proto tcp all > block return-icmp in log inet proto udp all > block return-icmp out log inet proto udp all
This default block section applies to all interfaces, including the internal interface. Note that states created on the external interface don't allow associated packets to pass other interfaces automatically. If you really want to filter on the internal interface as well, add rules that define which connections to pass there as well (including creating states there). Otherwise, add something like this after the default block section: pass in quick on $int_if all pass out quick on $int_if all so the internal interface isn't filtered at all, and all filtering happens on the external interface. Daniel
