On 2007/03/20 06:18, Lawrence Horvath wrote: > On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: > >On 2007/03/20 04:41, Lawrence Horvath wrote: > >> I have the below rule set in my pf.conf, i am having the following > >> problem, i need to be able to log into the firewall with ssh from > >> outside, and nothing should be able to hit the firewall from inside, > >> not even ping > > > >You don't "pass out" anything, either directly or via keep state. > >Also see the Notes section of bridge(4).
ahh, I missed that you have a default "pass out" since your default blocks are only for inbound. tcpdump on various interfaces (including pflog0 with the relevant log keywords adding to pf.conf) will help you see how it works. Some things depend on which interface has the IP address. The advice in bridge(4) about passing/skipping traffic on one of the interfaces makes things easier to follow.
