Date: Sun, 1 Dec 2019 21:38:54 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: Re: pf, stateful filter and DMZ Message-ID: <20191201143854.GB71897@admin.sibptus.ru> In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> References: <20191121151041.GA93735@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] There is still one thing I cannot understand about pf's notion of state. Consider this very simple example: =================================== # DMZ 172.16.1.0/24 pass in on $dmz #block in on $dmz from any to 192.168.0.0/16 # Inside 192.168.10.0/24 pass in on $inside =================================== While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3. But when I uncomment the "block ..." line and restart pf, I cannot do that any more. Why is that? My idea was that the "pass in on $inside" creates state so that return traffic from 172.16.1.10:80 to 192.168.10.3:52447 should be permitted, but this is not happening. Why? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd49B9AAoJEA2k8lmbXsY09xIIALfflyuAVTSM+v5j9Rs7xv7p zLgHB1KNvTFvhmJ6tF9BgaTGjZGxJdRk0ttkGsg4Rr3Q+LM0VEHAhZlkZmUuHLvw Apz4jbMRC7nH3o1xTDrAY5yAqf+acovnVUJM1qUkh++AnDu0yAtHIh9AFpn10InI G0MJisRG+s/RE4N+yA84JW4ke60tAoQfRLHPl9iwCw/ErTPPn5L+Toc+XJnnnWME Vc8YvF7Tz9Gb+ZkzfEaSBKu9cVseBf1cJ+BAZPdX3mjl6RuTcosIv5SSHeX7t1Uw BfFs9yjxd9b1ZtJvogO/R3HwE5KWfnl2DlHevb8Ne0uDgACQQK+yvE9BXsNs8PM= =u8bh -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191201143854.GB71897>