Martin J. Laubach a écrit :

> 
>	block in all on internal-IF head 10
>	pass out proto tcp from any to any port = 1234 keep state group 10
>  
>
Does the last rule really uses "out" as the group defintion or is it a typo?

>  and on the external one
>
>	block out all on external-IF head 20
>	pass out proto tcp from any to 1.2.3.4 port = 1234 keep state group 20
>  
>
so you allow outbound to port 1234 on the internal iface and outbound to 
1.2.3.4 port 1234 on the outside external interface? I fail to see what 
you wanna do.

>
>  Under 1.6 this worked fine, restricting the reachable hosts for port
>1234 to 1.2.3.4. Under 2.0, this lets connect to ANY host on port 1234.
>
>  I'm a bit stumped -- has something dramatic changed or is my ipf.conf
>logic flawed?
>
>	mjl
>
>  
>