On Sun, Aug 14, 2005 at 09:13:07PM +0200, Erik Wikstr?m wrote: > On 2005-08-14 19:17, stan wrote: > >On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote: > >>I've got 2 rules like this: > >> > >>pass out on $int_if from any to any keep state > >>pass in on $int_if from any to any keep state > >> > >>That I think I should be able to replace with: > >> > >>pass out on $int_if from any to any keep state > >>pass in on $int_if from any to any keep state > >> > >>But when I do this, I get the follwing packets droped. > >> > >>Aug 14 12:08:05.230735 rule 0/(match) block out on fxp2: > >>171.85.113.55.2318 > > >>171.85.106.133.161: GetRequest(5)[|snmp] > >> > >>requiste defs are: > >> > >>int_if="fxp2" > >> > >>and the /etc/hostname.fxpo looks like this: > >> > >>inet 171.85.113.111 255.255.255.128 NONE > >> > >>What am I missing here? > >> > >Sorry for the stupid cut and paste error. > > > >Here are the rules I want to use :-( > > > > > > Shouldn't that be > > >pass in on $int_if from $int_if:network to any keep state > pass in on $int_if from any to $int_if:network keep state
I think this is backwards. > >pass out on $int_if from any to $int_if:network keep state > pass out on $int_if from $int_if:network to any keep state This one too. Or am I looking at this wrong? Here's what I see: Internal nmetworrk -> fxp2 ($int_if) So, I want to pass in on it any traffic that originates on that network, and I want to pass out on it any trafficc that (having survived the ruls on the extern interface), is bound for it. Or am I confused? -- U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong Terror - New York Times 9/3/1967
