I think this can be explained by the default state policy (which is
floating) in pf. Consult the man page and look for 'set state-policy'.
I think that by default, because you're letting the packets through in
your first 'pass' rule you create state. When you get to the outside
interface you match this existing state (because the state policy is
set to floating) and your second 'pass' rule never evaluates.
One quick way to determine this is to set your state policy to
'if-bound' and then check whether or not you have the same behavior.
-Martin
On 3/14/07, Ryan Corder <[EMAIL PROTECTED]> wrote:
I have a fairly simple ruleset and it doesn't seem to be working right
for me...at least it doesn't make much since.
========
ext_if="bge0"
int_if="bge1"
table <outside> const { 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 }
table <inside> const { 10.0.4.0/24, 10.0.5.0/24 }
table <others> const { 172.18.114.35 }
block log all label "default block"
pass in on $int_if from <inside> to any tag INSIDE keep state
pass out on $ext_if from <inside> to { !<outside>, !<others> } tagged
INSIDE keep state flags S/SA
========
here is the problem, from a machine on the 10.0.5.0/24 subnet, I can
connect to any IP and any port on the 10.0.3.0/24 subnet. the way the
two pass rules are written, I was thinking that I would be able to
connect to anything EXCEPT the subnets listed in <outside> and <others>.
what am I missing here?
thanks.
ryanc
--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
