Marcus Larsson <k...@mindwipe.org> wrote: > On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote: > > > can anybody see what i'm missing? i'd love to score some points > > for openbsd at my job (and i'll fall back to 4.6 if i have to) but > > i'd really love to get this working with 4.7. any insight would be > > much appreciated. > > Hi > > You need to allow the traffic out on em1 (I assume traffic to > $dsan01_grp_ip goes out via that interface). > > pass out on $int_if inet proto tcp from any to $dsan01_grp_ip > port 80
no; according to the man page for pf.conf, "if no rule matches the packet, the default action is to pass the packet." in other words, all traffic is allowed by default unless it's explicitly blocked, and my ruleset does not block any traffic on em1 (in fact, my ruleset has no rules for em1 at all; the macro is redundant). traffic is already allowed out on em1 and does not need a rule to allow it. thank you anyway for writing. - since i wasn't able to make this work, the effort at my job was abandoned. i doubt they will let me try openbsd any more. it's a shame. somehow, daniel's pf always worked exactly as documented but ever since henning "improved" it i can't make it work any more...