On 2005-08-14 19:17, stan wrote:
On Sun, Aug 14, 2005 at 12:24:43PM -0400, stan wrote:
I've got 2 rules like this:
pass out on $int_if from any to any keep state
pass in on $int_if from any to any keep state
That I think I should be able to replace with:
pass out on $int_if from any to any keep state
pass in on $int_if from any to any keep state
But when I do this, I get the follwing packets droped.
Aug 14 12:08:05.230735 rule 0/(match) block out on fxp2: 171.85.113.55.2318 >
171.85.106.133.161: GetRequest(5)[|snmp]
requiste defs are:
int_if="fxp2"
and the /etc/hostname.fxpo looks like this:
inet 171.85.113.111 255.255.255.128 NONE
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
As we all know I'm no expert :-) but it seems to me as if the blocked
packet was heading to 171.85.106.133 on port 161. However since you have
the address 71.85.113.111 with netmask 255.255.255.128 on int_if the
package is dropped since it's not on the same subnet as int_if. Simply
put the rules works, but perhaps you have the wrong netmask?
--
Erik Wikstrvm
