Steve Johnson <[EMAIL PROTECTED]> writes: > I have keep state entries for all of my rules, so I don't know where > the problem could be. The ruleset is available here: > http://www.sjohnson.info/other/pf.conf > > The only thing I've removed from the ruleset are aliases and table > definitions.
Leaving those definitions in there (suitably anonymized if need be) would have made it easier to play with for others. But anyway, the first thing that strikes me is that the ruleset logic is a bit hard to follow with all those pass quick rules and the block quick at the end. That final block could be a significant part of the problem, and unless my low caffeine level plays tricks on me, the only "pass out" I find is for ICMP traffic. If you want traffic through your gateway, you need to pass out to $somewhere as well (or where appropriate just pass from $foo to $bar). It's usually a lot better to start with a block all, then punch the holes you need with pass rules, and add quick only when there's a real need for it. And as Joachim mentioned, using lists and macros in a few places where your rule set now has blocks of very similar rules is extremely good for readability. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
