On Sat, Mar 16, 2013 at 5:44 AM, Greg Troxel
<gdt%ir.bbn.com@localhost> wrote:
Michael David <
servers.david%gmail.com@localhost> writes:
> I want to allow ALL outgoing traffic on wm0 and only allow ssh and http in
> on wm0
>
> My rules are as follows:
> *
>
> pass in quick on wm0 proto tcp from any to any port = 22 keep state
> pass in quick on wm0 proto tcp from any to any port = 80 keep state*
Your basic issue is that you need to allow replies to outgoing traffic.
So, my advice:
do not use quick. that's a preference, but I like last match
basic setup:
pass out keep state
block in
pass in port 22
so then all outgoing packets are allowed, and the pass out will set up
perflow dynamic allow rules to let replies back in.
you may also want keep frags somehow. I'm fuzzy on the details, but in
the modern world you may see fragments coming back to dns queries due to
dnssec key records