On Thu, Feb 26, 2009 at 01:14:43PM +1100, Rod Whitworth wrote: > On Wed, 25 Feb 2009 17:39:31 -0800, patrick keshishian wrote: > > >The floating states based on line 10 would be for pre-NAT sources on > >$int_if and wouldn't match any inbound packets on $ext_if. Unless I'm > >misunderstanding how NAT works with pf, there are no pass out rules > >that would create states for these packets: > > > >from pf.conf(5): > > > > Since translation occurs before filtering the filter engine will see > > packets as they look after any addresses and ports have been translated. > > Filter rules will therefore have to filter based on the translated ad- > > dress and port number. Packets that match a translation rule are only > > automatically passed if the pass modifier is given, otherwise they are > > still subject to block and pass rules. > > ... > > Translation rules apply only to packets that pass through the specified > > interface, and if no interface is specified, translation is applied to > > packets on all interfaces. > > > > That's all fine but, pray tell, which rule is doing the blocking? > The only block I can see says "09 block in log all" - no block out > anything.
The 'block in' will block return traffic since no state is matching for outbound traffic (see prior emails about translation before filtering). -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
