On Fri, Jul 18, 2003 at 01:01:44PM +0200, Uwe Reiher wrote: > Aah, the main problem was the "block return" policy?
Yes, that statement tells pf to use 'return-rst/-icmp' implicitely in each block rule. Remove it, and the block rules just drop packets silently, without sending a reply. See pf.conf(5) about the details and implications. > The main problem is that i have only an /29 subnet, and i need all the > ip's. Is it ok to work with the drop-policy? You can try to add routing table entries without assigning addresses to the bridge interfaces, not sure whether that works. If you only care about replies to blocked packets coming from the external interface, you can assign a fake address to just the external bridge interface, so all replies get sent out there. But without proper routing table entries, return-rst/-icmp won't work, and you have to disable the replies. Daniel
