Thanks for taking a swing.
>> I had a static IP with my previous provider; but comcast is dynamic.
>> However, I don't think that's an issue (see rule set below).
>
> Is it a non-routable IP?
No; it's 71.xxx.xxx.xxx
>> ext_if = "nfe0" # On-board NIC
>> int_if = "re0" # Realtek gigabit card
>> table <trusted> { 68.xxx.xxx.xxx, 24.xxx.xxx.xxx }
>> table <forbidden> { 10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16 }
>
> Does nfe0 have an IP in one of these ranges?
nfe0 IP=71.xxx.xxx.xxx
>> # FILTER
>> block in log
>> pass in
>
> I don't think this is right, do you really want to do this?
You're right; the "pass in" was some of yesterday's flailing. I guess
I was flustered and forgot to remove this line. It wasn't there before
yesterday.
>> # these addresses don't belong on the internet
>> block in on $ext_if from <forbidden>
>
> I wonder if this is causing your problem with a non-routable IP on nfe0.
nfe0 IP=71.xxx.xxx.xxx
Anyway, thanks for pointing out that glaring mistake about the "pass
in". Unfortunately, it doesn't address my problem, but the lesson is
to experiment with a test file instead of a working rule set :)
-Scott
