Stuart Henderson <s...@spacehopper.org> wrote: > On 2010/10/03 14:24, Peter GILMAN wrote: > > > > Marcus Larsson <k...@mindwipe.org> wrote: > > > > > On Tue, Sep 21, 2010 at 10:25:11PM -0400, Peter GILMAN wrote: > > > > > > > can anybody see what i'm missing? i'd love to score some points > > > > for openbsd at my job (and i'll fall back to 4.6 if i have to) > > > > but i'd really love to get this working with 4.7. any insight > > > > would be much appreciated. > > > > > > Hi > > > > > > You need to allow the traffic out on em1 (I assume traffic to > > > $dsan01_grp_ip goes out via that interface). > > > > > > pass out on $int_if inet proto tcp from any to $dsan01_grp_ip > > > port 80 > > > > no; according to the man page for pf.conf, "if no rule matches the > > packet, the default action is to pass the packet." > > this is true, but note that the implicit "pass" rule does _not_ keep > state. >
very good observation; thank you.