On Tue, Dec 13, 2005 at 01:22:48PM -0800, Jonathan Rogers wrote: > # Rule 1.5 get stuff in to the firewall for NATing > pass in quick on $good_if inet from $good_net to any
Add 'keep state' to the above rule, so it reads pass in quick on $good_if inet from $good_net to any keep state otherwise the replies are blocked when they try to go out through the internal interface. The state created on the external interface by the nat rule does not cover the packets on the internal interface. So you actually need to create two separate state entries per connection, one incoming on the internal interface (without translation) and one outgoing on the external interface (with nat). Another approach is to skip filtering on the internal interface alltogether, using "pass quick on $good_if" or, better, "set skip on $good_if". Daniel
