Michael David <servers.david%gmail.com@localhost> writes: > I want to allow ALL outgoing traffic on wm0 and only allow ssh and http in > on wm0 > > My rules are as follows: > * > pass out quick on any all *//this I believe will take care of lo0 also* > > pass in quick on wm0 proto tcp from any to any port = 22 keep state > pass in quick on wm0 proto tcp from any to any port = 80 keep state* Your basic issue is that you need to allow replies to outgoing traffic. So, my advice: do not use quick. that's a preference, but I like last match basic setup: pass out keep state block in pass in port 22 so then all outgoing packets are allowed, and the pass out will set up perflow dynamic allow rules to let replies back in. you may also want keep frags somehow. I'm fuzzy on the details, but in the modern world you may see fragments coming back to dns queries due to dnssec key records
Attachment:
pgpKhoMG1bjEm.pgp
Description: PGP signature