Date: Wed, 27 Feb 2008 16:46:48 -0500 From: "Vadym Chepkov" <vchepkov@gmail.com> To: "Gilberto Villani Brito" <linux@giboia.org> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state Message-ID: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> In-Reply-To: <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You can omit 'from any' or 'to any' as redundant if pf.conf. # pfctl -sr|grep www_servers pass in quick proto tcp from any to <www_servers> port = http flags S/SA keep state pass in quick proto tcp from any to <www_servers> port = https flags S/SA keep state On Wed, Feb 27, 2008 at 4:10 PM, Gilberto Villani Brito <linux@giboia.org> wrote: > I didnt understand this rule: > > pass in quick proto tcp to <www_servers> port $www_tcp_ports flags > S/SA keep state > > I think is: > pass in quick proto tcp from any to <www_servers> port $www_tcp_ports > > flags S/SA keep state > > > -- > Gilberto Villani Brito > System Administrator > Londrina - PR > Brazil > gilbertovb(a)gmail.com > > > > > > On 27/02/2008, Vadym Chepkov <vchepkov@gmail.com> wrote: > > All, > > > > I must be doing something wrong, but I can't figure it out. > > I actually simplify the network structure, to keep it simple > > > > - a client and a web server are on different network segments; > > - all incoming connections to the client are prohibited; > > - client should be allowed to access web server and get a reply; > > > > Here are the rules: > > > > set state-policy floating > > pass in quick proto tcp to <www_servers> port $www_tcp_ports flags > > S/SA keep state > > block in log to <protected_dev_net> > > > > In the pflog I can see that reply packet from www server is blocked on > > server's segment interface. I thought 'set state-policy floating' > > should create a rule interface independent and allow a reply? Am I > > wrong? > > > > Thank you, > > > > Vadym Chepkov > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1635d77d0802271346g4cf02b8et8bc74d16f6e97e45>