"Ilya A. Kovalenko" <[EMAIL PROTECTED]> writes: >>> block in inet from 192.168.0.1 to 192.168.114.31 >>> pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state >>> (does not work - neither pings nor TCP) >> Here, you only pass the *inbound* packets; you also must >> pass the outbound packets on the opposite interface. > > So, single state entry affects traffic on single interface only ?
no. your pass rule only affects incoming traffic. You say essentially, block incoming traffic with a source address equal to 192.168.0.1 and a destination address equal to 192.168.114.31 pass incoming traffic with a source address equal to 192.168.114.31 and a destination address equal to 192.168.0.1 unless you are happy with the traffic only reaching your gateway, you need to specify how the traffic is to go out to the destination address. in simple environments it is possible to work around the problem by omitting direction (implicitly writing rules for both inbound and outbound traffic), ie block inet from 192.168.0.1 to 192.168.114.31 pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
