Date: Tue, 20 May 2008 18:27:47 -0700 From: "Jason C. Wells" <jcw@highperformance.net> To: freebsd-pf@freebsd.org Subject: nat pass and state Message-ID: <48337A93.9090003@highperformance.net>
next in thread | raw e-mail | index | archive | help
I have these rules (and others) in pf.conf:
nat pass on $ext_if from $int_net to any -> ($ext_if)
block in all
block out all
I cannot connect to websites unless I also add:
pass proto { tcp, udp } from any to any port http keep state
My understanding is that nat rules are inherently stateful. I also
understand that a packet that matches state bypasses filter rules. A
hit on a web page should generate a state on the way out and then match
that state on the way back in, avoiding the block rules. By testing, I
show that the pass http rule is needed to complete the connection.
Would someone please explain why the nat rule is not sufficient to allow
me to access a web page? I must have a gross conceptual error on how PF
works. This is too simple, but I just don't get it.
Regards,
Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48337A93.9090003>