I'm running a 3.3 release firewall and am having a simple problem that I've never had before.
Two nics, external and interal. Internal has ip 192.168.0.1, and all machines behind it are on 192.168.0.0/24.
using these rules, I cannot get internal traffic to leave the box.
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
block out on $ext_if all
pass out on $ext_if inet proto { tcp, udp, icmp } from 192.168.0.0/24 \ to any keep state
Hi Sean. Taken from the pf.conf man page in -current:
Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number.
This is a FAQ.
.joel
