On Monday, Jun 2, 2003, at 09:48 US/Pacific, Amir Seyavash Mesry wrote:
Here is my pf.conf, the keepstate on the icmp doesn't seem to be
working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present
for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it
will
allow the packet and let it return. I think it is something really
simple
that I am overlooking but I can't figure it out. Any help is
appreciated.
# nat rules for both lan segments
nat on $eth0 from $lan1 to any -> $eth0
nat on $eth0 from $lan2 to any -> $eth0
#block all in-out
block in log all
block out log all
You don't have any "pass out" rules for $eth2, so the packet is never
reaching 10.0.4.1 (assuming it's on $eth2; you didn't say).
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any modulate state
pass out on $eth0 inet proto udp from $lan1 to any keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any modulate state
pass out on $eth0 inet proto udp from $lan2 to any keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
As a side note, these rules should never apply, as nat has already taken
effect by the time you get to filter out on $eth0.
