On Wed, Feb 25, 2009 at 8:45 PM, Jason Dixon <ja...@dixongroup.net> wrote: > I'll agree with you here. B Patrick makes a good point in that > translation rules always apply before filter rules and that *should* > take effect here as well (nat outbound). B However, after thinking about > it a bit more, we usually apply this in the case of filtering *and* > translation happening on the *same* interface. > > In our example with nat, the filtering (and state creation) takes place > on the internal interface first. B It is then routed through and allowed > to pass outbound on $ext_if since a matching state already exists. B At > least, that's my interpretation of the flow. B Feel free to correct me > where my logic is flawed.
Hmm... you are correct. State is created on $int_if, then NAT-ed outbound. Return packets arrive on $ext_if, get NAT-ed back and filtered and state matched. So the only problem was the outbound DNS from the pf-firewall box, which is why you needed the 'pass out'. So even though OP said he couldn't even ping after your rule-set, he probably was trying 'ping some-host' rather than 'ping ip'. --patrick
