Date: Wed, 27 Feb 2008 14:43:18 -0500 From: "Vadym Chepkov" <vchepkov@gmail.com> To: freebsd-pf@freebsd.org Subject: floating keep state Message-ID: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
All, I must be doing something wrong, but I can't figure it out. I actually simplify the network structure, to keep it simple - a client and a web server are on different network segments; - all incoming connections to the client are prohibited; - client should be allowed to access web server and get a reply; Here are the rules: set state-policy floating pass in quick proto tcp to <www_servers> port $www_tcp_ports flags S/SA keep state block in log to <protected_dev_net> In the pflog I can see that reply packet from www server is blocked on server's segment interface. I thought 'set state-policy floating' should create a rule interface independent and allow a reply? Am I wrong? Thank you, Vadym Chepkov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1635d77d0802271143u2aeb0b13we310ea1a611afaa8>