Em 27-10-2015 09:37, Michael S. Keller escreveu: > These are the rules that appear potentially to affect outgoing packets > on the internal interface: > > match inet from any to 192.168.1.62 > block drop out on gem0 all > pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA > > Only traffic that initiates directly from the OpenBSD firewall > triggers these rules. Neither web page loads (which traverse the NAT) > nor SSH session replies increase the trigger counts on any of these > three rules.
Since you seem to be unwilling to use tags, lets try to debug this another way. Install and configure nfsen, create a pflow(4) interface and set the default for every state to use pflow: option state-defaults pflow You will see every flow passing, incoming and leaving your firewall. Since you mentioned that you're seeing the traffic on tcpdump, this can make it easier to visualize where you're packets are going. Cheers, Giancarlo Razzolini
