Date: Fri, 22 Nov 2019 09:42:50 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: pf, stateful filter and DMZ Message-ID: <3d9c5663-3eb5-fd5a-bd72-041bbe392fe7@FreeBSD.org> In-Reply-To: <20191122061950.GA25286@admin.sibptus.ru> References: <20191121151041.GA93735@admin.sibptus.ru> <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> <20191122061950.GA25286@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22/11/2019 06:19, Victor Sudakov wrote: >>> 2. ICMP traffic in any direction >> Sounds like a bad idea. Why would you do it? > Well, for example, if a host in $inside_net sends a UDP datagram to a > host in $dmz_net which generates an ICMP port unreachable message, I > want the host in $inside_net to actually receive the message. If pf is > THAT stateful and smart, then this rule is not necessary. I believe that pf is clever enough to pass ICMP messages associated with a TCP or UDP connection for which it already has an established state without needing any specific additional rules. BICBW. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3d9c5663-3eb5-fd5a-bd72-041bbe392fe7>