On 20/03/07, Stuart Henderson <stu@spacehopper.org> wrote:
quoted text
> On 2007/03/20 09:24, Lawrence Horvath wrote:
> > is there a way to tag the packets going to pflog, i can see the
> > packets being blocked with tcpdump on /var/log/pflog, but i would like
> > to know what rule is blocking them
>
> if you use '-e' to tcpdump, it dumps the link-layer headers -
> on a pflog(4) interface this includes the rule number.
>
>

switched to the below rules, it seems that it was ignoring the
exterior interface, perhaps because it has no ip on it or perhaps
because its in a bridge, not sure

in fact it seems to ignore all rules on the exterior interface
completely, could anyone shed some light on why that is? and how i can
get it to pass through both interface rules?

is it possible to put the IP on the bridge interface instead of one of
the ether interfaces? in order to make the firewall IP independant of
any one interface?

# pfctl -s rules
block return in log on xl0 all
block drop in log on xl1 all
pass in on xl1 inet from any to 192.168.25.253 keep state
pass out on xl0 all
pass out on xl1 all
pass in on xl0 inet from any to 192.168.25.33
pass in on xl1 inet from 192.168.25.33 to any
pass in on xl0 inet from any to 192.168.25.69
pass in on xl1 inet from 192.168.25.69 to any
pass in on xl0 inet from any to 192.168.25.84
pass in on xl1 inet from 192.168.25.64 to any
pass in on xl0 inet from any to 192.168.25.100
pass in on xl1 inet from 192.168.25.100 to any
pass in on xl0 inet from any to 192.168.25.201
pass in on xl1 inet from 192.168.25.201 to any
pass in on xl0 inet from any to 192.168.25.252
pass in on xl1 inet from 192.168.25.252 to any

-- 
-Lawrence
-Student ID 1028219
-CCNA