> pass in log quick inet proto tcp to port http synproxy state > (with default pass out policy)
On Tue, 2008-12-16 at 11:25 -0800, Brian Keefer wrote: > How many interfaces are on the firewall, I'm assuming 2? 4, but for that problem, 2 are of relevance. > Why are you > synproxying outbound traffic in that case? Because we wanted to protect our firewalls from outbound connections, too. > The "pass in" rule will > match traffic coming "into" the external interface, from the outside, > but also traffic coming "into" the internal interface, from your > client machines. In this case, the 'pass in' is in regard to the int_if. 'pass out' is set on the ext_if and defaults to 'pass'. > If you break it out in two separate rules it won't synproxy your > outbound HTTP requests: > pass in log quick on $ext_if inet proto tcp to port http synproxy state > pass in log quick on $int_if inet proto tcp to port http modulate state I have no doubt that disabling synproxy fixes the issue. My question was rather raised to understand *why* it wouldn't work. Nobody has been able to answer it so far. -- Stephan A. Rickauer ----------------------------------------------------------- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 Zurich Web www.ini.uzh.ch
