>>> On 20 July 2007 at 10:04, in message <[EMAIL PROTECTED]>, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/07/20 08:45, Gordon Ross wrote: >> > Might be below the minimum; there's no explicit "pass out". >> >> No, the packets get out the "other side" of the OBSD box to the destination, >> it's the return packets that get blocked. > > Yes, exactly. Your implicit 'pass out' will allow the outbound > packets but it looks like this isn't stateful so it won't permit > the return packets (current behaviour doesn't match pf.conf(5) > docs; the diff below should address this).
Phew ! I thought my brain had gone the same way as my hair... ;-) > Can you try just adding 'pass out' to the top of the ruleset > please? I did: pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state pass out on $out_if and that worked. > I guess it will help, you could then refine it by tagging > incoming packets and 'pass out on XX tagged FOO' which is much > easier than doing each rule individually. I then did: pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 tag TEST_TAG keep state pass out on $out_if tagged TEST_TAG and that worked as well - and (I believe) is tighter than just a "pass out". (Certainly solves my paranoid problem in my previous posting) Going off on a tangent here: Why is it that I've just picked this up and no-one else has ? Is it because I'm running in full paranoia mode and blocking *everything* unless explicitly allowed ? I haven't tried your diff - let me know if you want me to. Thanks for your help, much appreciated. GTG
