On 2007/07/20 08:45, Gordon Ross wrote:
> > Might be below the minimum; there's no explicit "pass out".
>
> No, the packets get out the "other side" of the OBSD box to the destination,
> it's the return packets that get blocked.
Yes, exactly. Your implicit 'pass out' will allow the outbound
packets but it looks like this isn't stateful so it won't permit
the return packets (current behaviour doesn't match pf.conf(5)
docs; the diff below should address this).
Can you try just adding 'pass out' to the top of the ruleset
please? I guess it will help, you could then refine it by tagging
incoming packets and 'pass out on XX tagged FOO' which is much
easier than doing each rule individually.
Index: pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.182
diff -u -p -r1.182 pf_ioctl.c
--- pf_ioctl.c 24 Jun 2007 11:17:13 -0000 1.182
+++ pf_ioctl.c 20 Jul 2007 08:56:32 -0000
@@ -177,6 +177,7 @@ pfattach(int num)
/* default rule should never be garbage collected */
pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
pf_default_rule.action = PF_PASS;
+ pf_default_rule.keep_state = PF_STATE_NORMAL;
pf_default_rule.nr = -1;
pf_default_rule.rtableid = -1;
