On 2006/09/10 09:08, steve szmidt wrote: > > Maybe it would help to post pfctl -sr -vv with the direct entry > > (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v > > too. > > Since pflog0 tells me which rule was used I only include that rule. The first > one is working and 2nd not. > > pass out log on $WAN proto tcp from any to any port $Web keep state
oh, I thought you were putting the addresses in there (instead of loading from a table), not "any". > pass out log on $WAN proto tcp from <managers> to any port $Web keep state > > @7 block drop out log on bge0 all that's not especially helpful, the interesting rule is the "pass out" which isn't working... ...but since I now know you're using "any" to make it work rather than just listing the addresses, I guess the actual problem is that you're natting. NAT takes place before filtering; i.e. where NAT is used, you must use NATted addresses in the filter rules. In your case you probably want to either filter or tag (either on ingress or when you NAT). > Ah, yes. That would not be good. Squid would be better in that regard. If you prefer simpler and lower resource-use and don't need caching, tinyproxy works nicely.
