Jaime Vargas wrote:
pass out log all
You probably want "keep state" on the pass out rule. The SYN/ACK reply from $app_net isn't being allowed in this ruleset. You can see that in your tcpdump capture below:
02:08:14.260021 rule 0/0(match): block in on sis1: 192.168.100.52.51011 > 192.168.0.2.56848: S 3766929988:3766929988(0) ack 2049456174 win 17520 <mss 1460,nop,wscale 0,[|tcp]> (DF)
.joel
