On Sun, Jul 26, 2009 at 4:02 PM, Andres Salazar<ndrsslz...@gmail.com> wrote: > Hello Patrick, > > I also tried your approach, but at the end it behaves the same. > Without the "pass out" i dont have internet in any of the two > interfaces, with it then I just have totally opened ports on both of > the interfaces. The restrictive port rules are being ignored.
That's why I had the "pass out" in my rule-set. It should allow all traffic out leave the interfaces. The "pass in on $int_if2" and "pass in on $int_if" limit what sort of traffic is allowed from those LANs. When I had replied, you had not yet specified the restriction on $int_if2, so my rule-set allowed all traffic to all ports from that segment. I see that Jason Dixon has a new rule-set for you that has the required "pass out". I think that should work for you. --patrick
