On Tue, 24 Feb 2009, Hilco Wijbenga wrote:

quoted text
> 2009/2/23 Jason Dixon <jason@dixongroup.net>:
>> ##########################################################
>> 00 ext_if = "sk0"
>> 01 int_if = "sk1"
>> 02
>> 03 set skip on lo
>> 04
>> 05 scrub in
>> 06
>> 07 nat on $ext_if from $int_if:network to any -> ($ext_if:0)
>> 08
>> 09 block in log all
>> 10 pass in on $int_if inet keep state
>> ##########################################################
>
> I tried this and I'm afraid it doesn't work. I can't ping anymore,
> neither from my own box nor from the firewall. This setup is basically
> what I also found in the books I have, I guess. :-(
>
> DHCP works (i.e. my box gets an IP from the DHCP daemon on the
> firewall) and I can see maradns receiving requests from localhost (the
> firewall) and from the int_if (my box) when I try to ping something.
> It's all blocked by the firewall, though.

Are you sure that ext_if = "sk0" and int_if = "sk1" and not the other way 
round?

Btw, if you want you firewall to answer your ISP's ping packages, add the 
following line (11):
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type echoreq

Regards,
David