Date: Mon, 2 Dec 2019 20:40:47 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191202134047.GA14183@admin.sibptus.ru> In-Reply-To: <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Max wrote: > > Is this a complete ruleset? For this lab, yes, almost complete. There is only one more line, "nat on $outside ...", but strickly speaking, "nat" is not a rule. > What about "pass out..." rules? Why would I need them? In pf, it's "pass" by default. > You should > check other rules since you have no "quick" in your listed rules. 1. There are no other rules. 2. Even if there were, they should be irrelevant because the "pass in on $inside" rule should create state, and states are processed before rules. > The last matching rule decides what action is taken. The last matching rule on the $inside interface is "pass in on $inside". The last matching rule on the $outside interface is "block in on $dmz from any to 192.168.0.0/16" -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5RRfAAoJEA2k8lmbXsY0IVQH/3uLinEhG3C2k5vhqiv+H8ub zv918ful+2M/vMotzw0QyddUUEOfWFmK/PdUcRWAL9RaOtNzatPKooSSvS/v5stq O/38N+n2/U8aCWzB8dhRMjM91kckGKHy5Tp42D6qGxyXvA/p8Wyx0sO3eevsVgcz j7IvFk0tnWejoECfUTg+whCXHon1Izo9mEYqKNaEoC/U2f2rG5PkfH58mUB3C7Jd ucHJBuJK/CwMydh10mLECEljR0lhM3Qt+lqFWTQpzj19uXnmLspKnwhRrEUGPtX4 T8DmCNMqz2laGVKqD4xS54yN1e1XN99DGYYD/jWICshF9CSVURtsAcfAPzkPQ5w= =aTtq -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191202134047.GA14183>