-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason C. Wells <[EMAIL PROTECTED]> wrote:
>
> Would someone please explain why the nat rule is not sufficient to
> allow me to access a web page? I must have a gross conceptual error
> on how PF works. This is too simple, but I just don't get it.
Th
On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote:
> Jeremy Chadwick wrote:
>
>> I believe it's because pf(4) doesn't make assumptions about what you
>> want to filter. NAT is stateful (it has to be, because packets are
>> being re-written, and the WAN-side port numbers are going to b
Jeremy Chadwick wrote:
I believe it's because pf(4) doesn't make assumptions about what you
want to filter. NAT is stateful (it has to be, because packets are
being re-written, and the WAN-side port numbers are going to be
different than the LAN-side), but filtering rules still apply **after**
On Tue, May 20, 2008 at 06:27:47PM -0700, Jason C. Wells wrote:
> I have these rules (and others) in pf.conf:
>
> nat pass on $ext_if from $int_net to any -> ($ext_if)
>
> block in all
> block out all
>
> I cannot connect to websites unless I also add:
>
> pass proto { tcp, udp } from any to any po
I have these rules (and others) in pf.conf:
nat pass on $ext_if from $int_net to any -> ($ext_if)
block in all
block out all
I cannot connect to websites unless I also add:
pass proto { tcp, udp } from any to any port http keep state
My understanding is that nat rules are inherently stateful.
