Hurray! Solved by following change: - pass in proto tcp from <nPrivate> to <nPublic> keep state + pass out proto tcp from <nPrivate> to <nPublic> keep state
I think, community, NEEDS documentation about PF's stateful inspection, it's internal organization, posibilites and limitations. Documentation, not maillist arhive (I guess, nobody needs an differrence explanation). Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service For archives: IAK> I trying to pass any outgoing TCP connections from my IAK> office (<nPrivate>) onto campus network (<nPublic>) sites, IAK> but block any incoming connections from campus to office. IAK> Can use for it, PF ruleset like this (on 2-ifaced GW IAK> between office & campus): IAK> -------------------------------------------- >> block in all >> block return-rst in proto tcp all >> >> pass in on lo0 all >> >> pass in from <nPublic> to <nPublic> >> pass in from <nPrivate> to <nPublic> >> pass in from <nPrivate> to <nPrivate> >> >> pass in proto tcp from <nPrivate> to <nPublic> keep state IAK> -------------------------------------------- IAK> I suppose to think, that last rule would create state for IAK> outgoing connection and pass all campus packets for it. IAK> But it seems to does not work ... or I missed some other IAK> factors. IAK> tcpdump(8) shows this interchange: IAK> OFFICE ______ CAMPUS IAK> | | IAK> SYN -> | GW | -> SYN IAK> | | <- SYN ACK IAK> | | -> RST IAK> and | | IAK> again | | IAK> | | IAK> SYN -> | | -> SYN IAK> | | <- SYN ACK IAK> |______| -> RST IAK> Should such ruleset work ? IAK> Previously, I've used construction like this >> pass in proto tcp from <nPublic> to <nPrivate> >> block in proto tcp from <nPublic> to <nPrivate> flags S/SA IAK> but it has security issue - public host could send spoofed IAK> TCP packet, on which, internal host responds with RST. IAK> So public host could perform ping-scan (by nmap, for example) IAK> for internal network.