You don't set a state-policy so, by default it's floating. You're setting up
a state with your 'pass in quick on $int_if' rule. So, with those 2 things,
you've created a pass out quick rule implicitly on your $ext_if.
Read the section of the PF FAQ about 'state-policy'. It will make it far
more clear than my explanation above.
-James
On 11/15/05, Jon Hart <[EMAIL PROTECTED]> wrote:
>
> On Tue, Nov 15, 2005 at 02:39:59PM -0800, Christian Petro wrote:
> > OpenBSD 3.6
> >
> > /etc/pf.conf
> >
> > When a table, and corresponding rule is defined using:
> >
> > table <LimitedAccess> persist { 192.168.1.16 <http://192.168.1.16>,
> 192.168.1.17 <http://192.168.1.17> }
> >
> > block out quick on $ExtIf inet proto { tcp, udp } from <LimitedAccess>
> > to any port $OutIm
> >
> > OR EVEN
> >
> > block out quick on $ExtIf inet proto { icmp, udp, tcp } from
> > <LimitedAccess> to any
> >
> >
> > The result is both IP addresses are allowed to pass through the
> firewall.
> >
> >
> > Can anyone comment?
>
> Yes.
>
> There can be many reasons that either of your rules will result in those
> two hosts being allowed through the firewall.
>
> What is the rest of the pf.conf? Without that, I can only guess.
>
> -jon
>
>
--
What would Bilano do?
