On Wed, Jan 05, 2011 at 08:42:03PM -0800, Bonnie Packet wrote: > So my question is, again how regular packets from the Net pass out to > the wireless network over rl0. Is this somehow a function of the NAT > rules that I don't understand? Or something to do with established TCP > connections being already green-lit? I would think without an explicit > rule they'd be blocked (default block at the very end).
Those packets are replies for connections opened from a wireless client to a server on the external net? Then, yes, those are passed back in due to the 'keep state' option you use on the rule > pass in quick on $wls_if inet from 192.168.1.140 to any flags S/SA > keep state This allows connections to be opened from 192.168.1.140 to any host, and covers both packets flowing from 192.168.1.140 to the server AND packets (that are part of such connections) back from the server to the client, it's the whole point of the 'keep state' part. If you mean other packets, please explain what kind. Since the wireless net has a non-routable address range, the only way packets from the external net would end up there is if they were initially directed to the routable external address, then de-NAT'd, which is only possible if there's a state entry (based on an outgoing packet). Daniel
