From owner-freebsd-pf@FreeBSD.ORG  Fri Mar  4 17:49:30 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5167716A4CE
	for <freebsd-pf@freebsd.org>; Fri,  4 Mar 2005 17:49:30 +0000 (GMT)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 363FD43D31
	for <freebsd-pf@freebsd.org>; Fri,  4 Mar 2005 17:49:29 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	j24HnSRm012945
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 4 Mar 2005 18:49:28 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j24HnS3G004635;
	Fri, 4 Mar 2005 18:49:28 +0100 (MET)
Date: Fri, 4 Mar 2005 18:49:27 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Ben Shelton <fbsd-pf@shelton.ca>
Message-ID: <20050304174927.GC6369@insomnia.benzedrine.cx>
References: <42289DEA.5050205@shelton.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <42289DEA.5050205@shelton.ca>
User-Agent: Mutt/1.5.6i
cc: freebsd-pf@freebsd.org
Subject: Re: pf routing issue?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2005 17:49:30 -0000

On Fri, Mar 04, 2005 at 09:42:02AM -0800, Ben Shelton wrote:

> pass in quick inet proto tcp from any to x.x.x.x keep state

This allow only incoming packets (on any interface). It does not allow
packets to go out through any interface. Even if a packet first comes in
on one interface, and is then routed out through another interface, that
second step is blocked, because the rule does not allow packets to go
out through any interface. What else did you expect the 'in' option in
that rule to do?

If I understand you correctly, you've been trying to connect _from_ the
firewall to another host (getting the 'no route to host' error, which
has a new additional meaning, issued also when pf blocks an outgoing
packet from a local socket), so you should expect outgoing packets on
some interface...

Daniel