Volker wrote: > > Kevin, > > helping you with just this snippet of rules is like fishing in the > dark. > > Your rules do the following: A connection coming from a single IP > address (/32) is passing the firewall on the external IF. As it does > not create state (no keep state option) the answer to that incoming > connection will probably never reach the originating IP address. > > As you're logging but do not keep state, you're getting a whole > bunch of log entries which might render your logs unreadable (every > packet is being logged instead of every connection). > > If your rules work properly for other hosts (again, your snippet of > rules is useless for supporting you) I'm wondering if your Vista > machine does IPv6 and does not try v4? I don't know Vista at all but > I guess v6 support is built in. > > Greetings, > > Volker
I was hoping that the issue was simple and common, due to Vista's emphasis on ipv6 among other networking issues. Either way, below is my entire pf configuration. I hope it helps. ### Firewalls are Sun Netra X1 UltraSPARC IIe 400 ext_if="dc1" int_if="dc0" loop_if="lo0" internal_addr="xxx.xxx.xxx.x external_addr="xx.xxx.xxx.xxx internal_net="xxx.xxx.xxx.x external_net="xx.xxx.xxx.xxx ### Load carp interfaces c1="carp1" c130="carp130" c131="carp131" c132="carp132" c133="carp133" c134="carp134" c135="carp135" c136="carp136" c137="carp137" c138="carp138" c139="carp139" c140="carp140" c141="carp141" c142="carp142" c143="carp143" c144="carp144" c145="carp145" c146="carp146" c147="carp147" c148="carp148" c149="carp149" c150="carp150" c151="carp151" c152="carp152" c153="carp153" c154="carp154" c155="carp155" c156="carp156" c157="carp157" c158="carp158" c159="carp159" c160="carp160" c161="carp161" c162="carp162" c163="carp163" c164="carp164" c165="carp165" c166="carp166" c167="carp167" c168="carp168" c169="carp169" c170="carp170" c171="carp171" c172="carp172" c173="carp173" c174="carp174" c175="carp175" c176="carp176" c177="carp177" c178="carp178" c179="carp179" c180="carp180" c181="carp181" c182="carp182" c183="carp183" c184="carp184" c185="carp185" c186="carp186" c187="carp187" c188="carp188" InServicesTCP = "{ http, https }" InServicesUDP = "{ domain, ntp, rpc }" OutServicesTCP = "{ http, https, whois }" OutServicesUDP = "{ ntp, domain, rpc }" ProtoBlocked = "{ tcp, udp }" table <carpext> const file "/etc/firewall/carp_extaddr.tbl" table <private> const file "/etc/firewall/ip_localblock.tbl" table <caught> persist file "/etc/firewall/ip_caught.tbl" file "/etc/firewall/ip_exploit.tbl" #table <excess_conns> file "/etc/firewall/excess_conns.tbl" table <excess_conns_130> persist table <excess_conns_131> persist table <excess_conns_132> persist table <excess_conns_133> persist table <excess_conns_134> persist table <excess_conns_135> persist table <excess_conns_136> persist table <excess_conns_137> persist table <excess_conns_138> persist table <excess_conns_139> persist table <excess_conns_140> persist table <excess_conns_141> persist table <excess_conns_142> persist table <excess_conns_143> persist table <excess_conns_144> persist table <excess_conns_145> persist table <excess_conns_151> persist table <excess_conns_ftp130> persist table <excess_conns_ftp135> persist table <excess_conns_ftp143> persist table <webips> const file "/etc/firewall/web_server_ips.tbl" #table <sshhacks> persist file "/etc/firewall/ssh_hackers.tbl" table <sshhacks> persist table <sendmail_hacks> persist file "/etc/firewall/sendmail_hacks.tbl" table <blacklistproxies> persist file "/etc/firewall/blacklistproxies.tbl" table <port_scans> persist file "/etc/firewall/port_scanners.tbl" #### open for unabated users table <unabated> { xx.xxx.xxx.xxx } #### nfs table for hosts #table <nfs> { xxx.xxx.xxx.x ##### Safe users table <safeusers> { xxx.xxx.xxx.x } # Options: tune the behavior of pf, default values are given. set timeout { interval 30, frag 60, src.track 180 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 2000000, frags 1000000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all ### rdr's rdr on $ext_if proto tcp from any to ($c130) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c131) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c132) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c133) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c134) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c136) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c137) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c138) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c139) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c140) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c141) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c142) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c144) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c145) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c146) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c148) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c149) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c150) port 80 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 80 -> xxx.xxx.xxx.x ### Port 443 required mappings rdr on $ext_if proto tcp from any to ($c131) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c132) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c133) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c134) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 443 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 443 -> xxx.xxx.xxx.x #### Port 22 maps rdr on $ext_if proto tcp from any to ($c130) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c147) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 22 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c169) port 22 -> xxx.xxx.xxx.x ##### Port 21 / FTP rdr on $ext_if proto tcp from any to ($c130) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 21 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c130) port 2121 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 2121 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 2121 -> xxx.xxx.xxx.x ##### Port 21 / FTP rdr on $ext_if proto tcp from any to ($c130) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 20 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 20 -> xxx.xxx.xxx.x ##### Passiv3 mod3 FtP rdr on $ext_if proto tcp from any to ($c130) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c135) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c143) port 50000:50050 -> xxx.xxx.xxx.x rdr on $ext_if proto tcp from any to ($c151) port 50000:50050 -> xxx.xxx.xxx.x ##### Port 873 for rsync rdr on $ext_if proto tcp from any to ($c143) port 873 -> xxx.xxx.xxx.x ####### Nat back out for connections initiated behind the firewall nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x nat on $ext_if inet from xxx.xxx.xxx.x ### Carp specific pass rules pass quick on { dc0 } proto pfsync pass quick on { dc0 dc1 } proto carp keep state #### Before block in all is turned back on make sure you don't get locked out #### allow safeusers pass in quick on $ext_if inet proto tcp from <unabated> to any flags S/SA keep state pass in quick on $ext_if inet proto udp from <unabated> to any keep state pass in quick on $ext_if inet proto icmp from <unabated> to any keep state ### Office for Vista issue -- no state pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.x/32 to any pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any # Filtering ---- first up is the default block block in all #block in on $ext_if ### block private addresses block drop in quick on $ext_if from <private> to any block drop out quick on $ext_if from any to <private> ### Allow NFS traffic pass in quick on $int_if inet proto tcp from <nfs> to xxx.xxx.xxx.x pass in quick on $int_if proto udp from <nfs> to xxx.xxx.xxx.x pass out quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass out quick on $int_if inet proto udp from xxx.xxx.xxx.x # Allow safehost access to web / FTP pass in quick on $ext_if inet proto tcp from <safeusers> to <webips> port $InServicesTCP flags S/SA keep state pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x pass in quick on $ext_if inet proto icmp from <safeusers> to <webips> keep state #### Block sendmail hacks & port scans block drop quick from <sendmail_hacks> block drop quick from <port_scans> #### Block Excess connections - DoS - SSH hackers - but allow for them to recieve the generic message block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_130> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_131> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_132> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_133> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_134> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_135> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_136> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_137> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_138> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_139> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_140> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_141> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_142> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_143> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_144> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_145> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_151> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp130> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp135> to any block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp143> to any ### catch ssh hacks pass in quick on $ext_if inet proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 1, max-src-conn-rate 1/200, overload <sshhacks> flush global) pass in quick on $int_if inet proto tcp from any port 22 to any flags SA/SAFR keep state ### block caught pass out quick on $ext_if from any to xx.xxx.xxx.xxx pass in quick on $ext_if from xx.xxx.xxx.xxx pass out quick on $ext_if proto udp from $external_addr to any port 53 keep state block drop in quick on $ext_if from <caught> to any block drop in quick on $ext_if from <carpext> to any block drop in quick on $ext_if from $ext_if to any block drop out quick on $ext_if from any to <carpext> block drop out quick on $ext_if from any to $ext_if #### Explicit allow connections into the f/wall from the internal network pass in quick on $int_if proto tcp from $internal_net to $internal_addr port 22 flags S/SA keep state pass in quick on $int_if proto udp from $internal_net to $internal_addr port 53 keep state pass in quick on $int_if proto icmp from $internal_net to $internal_addr keep state ##### Apply anti-spoof blocks block drop in quick on $int_if from any to <private> block drop in quick on $int_if from any to $internal_net ##### loopback interface pass in quick on $loop_if all pass out quick on $loop_if all ## block web access to this hosts BASE block drop in quick on $ext_if proto tcp from any to $external_addr port 443 pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x #### FtP SerViCeS --- 21 and PasSiVe pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x ###(max-src-conn 74, max-src-conn-rate 100/2, overload <excess_conns_ftp130> flush global) pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x ###### allow mail rsync, etc pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to xxx.xxx.xxx.x pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to xxx.xxx.xxx.x pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x pass out quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA keep state pass out quick on $ext_if inet proto udp from any to any port 2620 pass in quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA keep state pass in quick on $ext_if inet proto udp from any to any port 2620 pass out quick on $int_if inet proto tcp from any to any port 2620 flags S/SA keep state pass out quick on $int_if inet proto udp from any to any port 2620 ##### dns services have to be allowed pass in quick on $ext_if inet proto udp from any to $external_addr port 53 keep state pass in quick on $ext_if inet proto udp from any port 53 to $internal_net keep state pass in quick on $ext_if inet proto udp from any port 53 to any keep state #### temp. ftp outbound for port updates / src updates / etc #pass in quick on $ext_if inet proto tcp from any to any port 21 keep state #pass in quick on $int_if inet proto tcp from any to any port 21 keep state #pass out quick on $ext_if inet proto tcp from any to any port 21 keep state #pass out quick on $int_if inet proto tcp from any to any port 21 keep state ##### with the block in all allow ns-2 full acess ######## END OF INBOUND allows on the ExTeRnAL InterFac3 ######## ### allow SA responses back to initial SYN inbounds pass in quick on $int_if proto tcp from <webips> port 80 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from <webips> port 443 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from <webips> port 21 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from <webips> port 20 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from <webips> port 50000:50050 to any flags SA/SAFR keep state pass in quick on $int_if proto tcp from <webips> to <unabated> flags SA/SAFR keep state pass in quick on $int_if proto udp from <webips> to <unabated> keep state pass in quick on $int_if proto icmp from <webips> to <unabated> keep state pass in quick on $int_if proto tcp from <webips> to <safeusers> flags SA/SAFR keep state pass in quick on $int_if proto udp from <webips> to <safeusers> keep state pass in quick on $int_if proto icmp from <webips> to <safeusers> keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x ### Vista rules pass in log quick on $int_if proto tcp from <webips> to xxx.xxx.xxx.x/32 pass in quick on $int_if proto udp from <webips> to xxx.xxx.xxx.x/32 pass in quick on $int_if proto icmp from <webips> to xxx.xxx.xxx.x/32 pass in quick on $int_if proto tcp from xxx.xxx.xxx.x ############ Some outbound rules ########### pass out quick on $ext_if proto udp from $external_addr to any port 123 keep state pass out quick on $ext_if proto tcp from $external_addr to any port 22 flags S/SA keep state pass out quick on $ext_if proto udp from $external_addr to any port 53 keep state pass out quick on $ext_if proto tcp from $external_addr to any port 80 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 43 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 443 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to any port 5999 flags S/SA keep state pass out quick on $ext_if proto tcp from $external_addr to xxx.xxx.xxx.x/32 port 25 flags S/SA keep state #allow traceroute from fw -> host , this is really slow and doesnt work properly #pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state #pass out quick on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x block in quick on $int_if proto tcp from xxx.xxx.xxx.x block in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto udp from $internal_net to any port 53 keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto udp from $internal_net to any port 123 keep state pass in quick on $int_if proto icmp from $internal_net to any keep state pass in quick on $int_if proto tcp from $internal_net to any port 43 flags S/SA keep state pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x pass in quick on $int_if proto tcp from xxx.xxx.xxx.x #pass in quick on $int_if proto tcp from xxx.xxx.xxx.x _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"