On Fri, Jan 23, 2004 at 10:29:06PM +0100, rmkml wrote:
> ext_if="xl0"
> int_if="vr0"
>
> block return in log all
> pass in on $ext_if proto tcp from 192.168.0.0/22 port > 1023 to
> {192.168.0.2, 192.168.0.3} port 139 keep state
> #pass in on $int_if proto tcp from {192.168.0.2, 192.168.0.3}
> port 139 to 192.168.0.0/22 port > 1023
Packets crossing the bridge must pass both $ext_if and $int_if, and your
ruleset must allow them to pass both. The SYN passing in on $ext_if must
also be allowed to pass out on $int_if. Creating state on $ext_if for
the incoming packet does not automatically allow the packet to pass out
on $int_if, you need to add a rule explicitely allowing that. You get
two state entries for each connection (in on $ext_if, out on $int_if),
and those two will then cover all packets of the connection in both
directions.
Daniel
