On Wed, 25 Feb 2009 17:39:31 -0800, patrick keshishian wrote: >The floating states based on line 10 would be for pre-NAT sources on >$int_if and wouldn't match any inbound packets on $ext_if. Unless I'm >misunderstanding how NAT works with pf, there are no pass out rules >that would create states for these packets: > >from pf.conf(5): > > Since translation occurs before filtering the filter engine will see > packets as they look after any addresses and ports have been translated. > Filter rules will therefore have to filter based on the translated ad- > dress and port number. Packets that match a translation rule are only > automatically passed if the pass modifier is given, otherwise they are > still subject to block and pass rules. > ... > Translation rules apply only to packets that pass through the specified > interface, and if no interface is specified, translation is applied to > packets on all interfaces. >
That's all fine but, pray tell, which rule is doing the blocking? The only block I can see says "09 block in log all" - no block out anything. *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
