>>> On 20 July 2007 at 10:04, in message
<20070720090413.GK3317@bootes.spacehopper.org>, Stuart Henderson
<stu@spacehopper.org> wrote:
quoted text
> On 2007/07/20 08:45, Gordon Ross wrote:
>> > Might be below the minimum; there's no explicit "pass out".
>>
>> No, the packets get out the "other side" of the OBSD box to the
destination,
quoted text
>> it's the return packets that get blocked.
>
> Yes, exactly. Your implicit 'pass out' will allow the outbound
> packets but it looks like this isn't stateful so it won't permit
> the return packets (current behaviour doesn't match pf.conf(5)
> docs; the diff below should address this).

Phew ! I thought my brain had gone the same way as my hair... ;-)

quoted text
> Can you try just adding 'pass out' to the top of the ruleset
> please?

I did:

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state
pass out on $out_if

and that worked.

quoted text
> I guess it will help, you could then refine it by tagging
> incoming packets and 'pass out on XX tagged FOO' which is much
> easier than doing each rule individually.

I then did:

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 tag TEST_TAG
keep state
pass out on $out_if tagged TEST_TAG

and that worked as well - and (I believe) is tighter than just a "pass out".
(Certainly solves my paranoid problem in my previous posting)

Going off on a tangent here: Why is it that I've just picked this up and
no-one else has ? Is it because I'm running in full paranoia mode and blocking
*everything* unless explicitly allowed ?

I haven't tried your diff - let me know if you want me to.

Thanks for your help, much appreciated.

GTG