I'm running a 3.3 release firewall and am having a simple problem that
I've never had before.
Two nics, external and interal. Internal has ip 192.168.0.1, and all
machines behind it are on 192.168.0.0/24.
using these rules, I cannot get internal traffic to leave the box.
>nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
>block out on $ext_if all
>pass out on $ext_if inet proto { tcp, udp, icmp } from 192.168.0.0/24 \
>to any keep state
If I remove the block rule, everything works fine. If I change the pass
rule to 'from any to any', everything works fine.
I have a second internal nic on a different subnet. I am attempting to
assign outgoing traffic to different queues based on subnet of origin.
This is how this problem was discovered.
I had two 'pass out' rules (minus the block out rule), each assigning
their traffic to a different queue. All the traffic was ending up in the
default queue, I am assuming this is because nothing matched either 'pass
out' rule. With the 'block out on $ext_if all' rule before the two 'pass
out' rules, no traffic was able to leave the box.
I've scoured the faq and man man page for pf.conf, which only seem to
confirm that my line of though is correct. Furthermore, I've set up a
nearly identical configuration before and had none of these problems.
Can someone tell me what's going on here?
Thanks,
Sean Balch
