On Fri, Jun 06, 2008 at 12:09:12PM -0400, Rick Aliwalas wrote: [snip] > one = "192.168.1.1/32" > two = "192.168.1.2/32" > three = "192.168.1.3/32" > four = "192.168.1.4/32" > five = "192.168.1.5/32" > six = "192.168.1.6/32" > > pass in quick on $ext_if inet proto tcp from $one to 10.0.0.1 port ssh > pass in quick on $ext_if inet proto tcp from $two to 10.0.0.1 port ssh > pass in quick on $ext_if inet proto tcp from $three to 10.0.0.1 port ssh > pass in quick on $ext_if inet proto tcp from $four to 10.0.0.1 port ssh > pass in quick on $ext_if inet proto tcp from $five to 10.0.0.1 port ssh > #pass in quick on $ext_if inet proto tcp from $six to 10.0.0.1 port ssh > > pass in all > pass out all > ########################################################################## > > All is well unless I un-comment the last pass line. Then I get the following > output when running "pfctl -sr" : > > # pfctl -sr > pass in quick on em0 inet proto tcp from <__automatic_a2219073_0> to > 10.0.0.1 port = ssh flags S/SA keep state [snip]
Just a wild guess -- maybe the pf optimizer substitutes the six addresses with 192.168.1.0/29? Martin
