Hello,
I'm running OpenBSD 4.2-stable on a firewall with four interfaces. The
settings are relative strict and default everything is blocked (block
log all). While beside the packet filter also spamd is running the
localhost needs to update the blacklists via spamd-setup. A rule like
this allows that:
pass out quick on $ext_if inet proto tcp from ($ext_if) \
to any port http keep state
But that rule makes me a headache. I can't use "tagged" (or at least I
don't know how to do it) because packets from localhost don't run
through an input chain and I can't tag them.
If I had a rule that allows connections to machines listening at http
port and I tag that rule (so packets passing through this input chain
get tagged) the rule above would count because it does not have any tags
and therefor it fits for any packet (tagged or not). But I would like to
create a separate rule which uses tagged.
Is there a way to limit this behavior? There are several other services
I use at the firewall like DNS, NTP and so on.
Best regards
Stefan
