Hi Shane, Heya and others. I tried a new setup, using tables (look more 
eficient than using a thousan rules to each variable). But is still 
failing :(

    # tables
    table <msn-rdr> persist const file "/etc/pf.conf.d/msn-rdr"
    table <msn-allow> persist const file "/etc/pf.conf.d/msn-allow"

    # msn proxy
    rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
    port 1863 -> $proxy
    rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any
    port 25000:30000 -> $proxy

    # msn filter
    pass out quick on { $lan1_iface, $lan2_iface } inet proto tcp from
    <msn-rdr> to $proxy port 1863
    block out quick on ! $inet_iface inet proto tcp from ! <msn-allow>
    to any port 1863

In the msn-rdr table are IP of the hosts that should be redirected to 
the proxy, and in the msn-allow are the IP of the hosts that should be 
allowed to connect directly with the MSN over the internet (including 
the host $proxy). The $proxy host is in a fourth interface named $dmz_iface.

If i remove the "quick" statement of the block rule, anyone in any 
interface can connect, and with the 'quick' statement, no one can =S.
Also, back in february, when i just redirected everyone to the proxy, 
the rdr rules used to work, but with this more selective rule, it's not 
working at all.

Tks in advance.

Leonardo Carneiro - Veltrac wrote:
quoted text
> Shane Lazarus wrote:
>> Heya
>>
>> On Tue, Apr 20, 2010 at 5:43 AM, Leonardo Carneiro - Veltrac 
>> <lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>> wrote:
>>
>>     My OpenBSD firewall has 4 interfaces: 2 lan, 1 wan and 1 dmz.
>>     What i'm trying to do is:
>>
>>  
>>
>>
>>     1. Allow some hosts to use MSN;
>>      2. Redirect the MSN connections of some hosts from the LAN
>>     interfaces to a MSN proxy in the DMZ interface;
>>     3. Block the rest.
>>
>>     This is how i'm trying to achieve:
>>
>>        # msn proxy redirect
>>        rdr on $lan1_iface proto tcp from $msn-redirect to any port 
>> 1863 ->
>>        $proxy
>>        rdr on $lan1_iface proto tcp from $msn-redirect to any port
>>        25000:30000 -> $proxy
>>        # msn filter
>>        pass out quick on $inet_iface inet proto tcp from 
>> $msn-redirect to
>>        $proxy port 1863 keep state
>>        pass out quick on $inet_iface inet proto tcp from 
>> $msn-allowed1 to
>>        any port 1863 keep state
>>        pass out quick on $inet_iface inet proto tcp from 
>> $msn-allowed2 to
>>        any port 1863 keep state
>>        pass out quick on $inet_iface inet proto tcp from $proxy to any
>>     port
>>        1863 keep state
>>        block out on $inet_iface inet proto tcp from any to any port 1863
>>
>>
>> Is the reference to passing out the redirected traffic to the $proxy 
>> via the $inet_interface instead of the $dmz_interface correct, a typo 
>> or the issue?
>>
>> Shane
>>
>>  
> Hi Shane. No, it's not a typo. It's a last second modification that i 
> tried before send the email. Was 'any' before i replace with '$proxy'. 
> However, like you well observed, it's wrong :(
>
> I'll try other rules today and i'll post then here. Tks for you concern.