On 12 Jan 2024 16:19 +0100, from r...@h5.or.at (Ralph Aichinger): > If I insert the following rule at the bottom, everything starts to > work: > > meta l4proto udp accept > > but I don't know how to limit this over broad rule (so it does not > forward UDP to the internal network on en0, which I do not want).
My suggestion would be to insert a "udp log" rule. (Pretty sure you only need "udp", not "meta l4proto udp".) That will give you a firehose of information which will include ports, interfaces and other relevant information. You can then narrow it down until it logs the traffic you want to accept, at which point you can change the "log" action into an "accept" action. Note that forwarding and filtering can interact in non-intuitive ways. You may need to add corresponding log rules to each relevant chain, maybe with a prefix to tell them apart. -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
