Tags are for assigning trust between interfaces, for instance to prevent traffic from WWW DMZ from leaking into the trusted LAN. As the FW traffic is explicitly from the FW out a specified interface, as shown by your rule, then it doesn't need to have trust assigned to it as only one interface is involved.
On 2/24/08, Stefan Schulze Frielinghaus <[EMAIL PROTECTED]> wrote: > Hello, > > I'm running OpenBSD 4.2-stable on a firewall with four interfaces. The > settings are relative strict and default everything is blocked (block > log all). While beside the packet filter also spamd is running the > localhost needs to update the blacklists via spamd-setup. A rule like > this allows that: > > pass out quick on $ext_if inet proto tcp from ($ext_if) \ > to any port http keep state > > But that rule makes me a headache. I can't use "tagged" (or at least I > don't know how to do it) because packets from localhost don't run > through an input chain and I can't tag them. > > If I had a rule that allows connections to machines listening at http > port and I tag that rule (so packets passing through this input chain > get tagged) the rule above would count because it does not have any tags > and therefor it fits for any packet (tagged or not). But I would like to > create a separate rule which uses tagged. > > Is there a way to limit this behavior? There are several other services > I use at the firewall like DNS, NTP and so on. > > Best regards > > Stefan
