From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 19:43:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35F6E1065675 for ; Wed, 27 Feb 2008 19:43:23 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id F02418FC1B for ; Wed, 27 Feb 2008 19:43:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so4457599wri.3 for ; Wed, 27 Feb 2008 11:43:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=JZ/Z1zZtjNjSU3APSZvLy8wlHonbHdSFRw8SQ+kfdGk=; b=kFTQbbhJPysNTBhvdSmAK3tjedGIO3SAr7bVyMyXst7fMd++uNyWBxJ4Dtmk4JDS9vYXYK6QbfEMbkZ47JiS91OtvPXWQZYhxmPackQjR1ESW53YUaeU3ELeFgRQn7pRy5XDki4xtuF6Da9B8y/wglx00/53AAhnbFFVTpVueAk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dU7lEZz6e3CHM/QiKDffkDzfPU8BnAZy4tTHWoEfd506V8RVbPQWfP+y32irkMn22R+SrazgdCbjq4a6vBDbbDkuf4Kf7CmWp4GPyaXGj8dFUoRhKs7k/xBZJt4zZ404DUc8keZtbMw6MhwB+mW842/ozYRf2Q2VwGxqAZ97Z2w= Received: by 10.114.195.19 with SMTP id s19mr7961148waf.58.1204141398742; Wed, 27 Feb 2008 11:43:18 -0800 (PST) Received: by 10.114.182.15 with HTTP; Wed, 27 Feb 2008 11:43:18 -0800 (PST) Message-ID: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> Date: Wed, 27 Feb 2008 14:43:18 -0500 From: "Vadym Chepkov" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 19:43:23 -0000 All, I must be doing something wrong, but I can't figure it out. I actually simplify the network structure, to keep it simple - a client and a web server are on different network segments; - all incoming connections to the client are prohibited; - client should be allowed to access web server and get a reply; Here are the rules: set state-policy floating pass in quick proto tcp to port $www_tcp_ports flags S/SA keep state block in log to In the pflog I can see that reply packet from www server is blocked on server's segment interface. I thought 'set state-policy floating' should create a rule interface independent and allow a reply? Am I wrong? Thank you, Vadym Chepkov