Date: Thu, 4 Apr 2019 14:52:17 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <20190404075217.GB18774@admin.sibptus.ru> In-Reply-To: <27907a35-8cae-06d0-a0e6-b7deb64ecbfd@viklenko.net> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru> <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> <20190404043004.GA10861@admin.sibptus.ru> <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net> <27907a35-8cae-06d0-a0e6-b7deb64ecbfd@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Artem Viklenko via freebsd-net wrote: > >> > >>> pass in quick on $int_if inet proto tcp from $server to any flags S/S= A keep=20 > >>> state allow-opts tag SERVER > >> > >> 2. > >> > >>> block return-rst out log quick on $mob_if inet proto tcp to any port = 25=20 > >>> tagged SERVER > >> > >> You have already passed the packet with "quick" in the first rule, it > >> probably will never hit the second "block" rule? > >> > >=20 > > No, each rule bound to different interface - i.e. different conditions. >=20 > Actually, you should check state-policy in your configuration. > In my firewalls there is already present >=20 > set state-policy if-bound >=20 > as routing typically static. I had the impression that a packet matching a "quick" rule leaves pf processing for good and is not evaluated by subsequent rules. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcpbexAAoJEA2k8lmbXsY0ajAH/RPaQy9KjTawXdNW2ZS0j9+Y 3P0gfrd3qKsm51AmAUioQwle50bbDzGHHEPwXyx+90fMOHXRW+vfsQDK7dIwVqlo wu02NI4v0NNCrTN0KeY3g391HmcenOL/H/dOUNyRvBkkTdCkTG2FlBxDqSSdRHsy IkHRVj0EpJXZp7cxiLRX3WguvkWheMP4UlXGdjYhEscSMzrjTkcTGHyZ5esNkn9h A+f57bys46y0kJ6OBz7hjIczs6hXWjXkh+ETLoerUweV2CyuNcAef+BkGcP7qiet PrwmPhi1T4L/XjRIBEqBVeM3w2129LzSgWu7iWKu8FsY7UO9ca9OLvyFeYdMSmU= =zF63 -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190404075217.GB18774>