From owner-freebsd-pf@FreeBSD.ORG Wed Feb 27 21:46:50 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6896F1065672 for ; Wed, 27 Feb 2008 21:46:50 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id DC4B28FC13 for ; Wed, 27 Feb 2008 21:46:49 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so4552379wri.3 for ; Wed, 27 Feb 2008 13:46:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ZNBCagVXe/08UpRntuF1ik86wtLYPXdz1kdMFdJxzbs=; b=wARQB1vdlf1wMCRMNLY8h1QggcWxc7VSi/MW3ql7JKcD724onS7fSFMc9mCcb51bKOQz9iizNgQF0b1MZwHza5AuO2Y6uLjyZC9j3BLZCbhITNXhduvU3tWC4zvLSaqrN8X4qOl0xBYYufxmJMKuaD+6e9Hj3Y8zgjIETzCdn38= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=A+59sd7rRgbkFfSVgxaioWwEgqdpJb4FjkEX5CgpFTcWObF6te8ycEtW7lE01p6JuS7zOfRBmYHwB6JaDvTMNVxzOFMbOstWCkY5cba8H4VkyBh42cB4jCy40vmIxHERIMDtrNQqTBTLRwKr8fpfmvmmphKf/B1XKjkiN6l6WNk= Received: by 10.114.123.1 with SMTP id v1mr8135294wac.147.1204148808263; Wed, 27 Feb 2008 13:46:48 -0800 (PST) Received: by 10.114.182.15 with HTTP; Wed, 27 Feb 2008 13:46:48 -0800 (PST) Message-ID: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> Date: Wed, 27 Feb 2008 16:46:48 -0500 From: "Vadym Chepkov" To: "Gilberto Villani Brito" In-Reply-To: <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 21:46:50 -0000 You can omit 'from any' or 'to any' as redundant if pf.conf. # pfctl -sr|grep www_servers pass in quick proto tcp from any to port = http flags S/SA keep state pass in quick proto tcp from any to port = https flags S/SA keep state On Wed, Feb 27, 2008 at 4:10 PM, Gilberto Villani Brito wrote: > I didnt understand this rule: > > pass in quick proto tcp to port $www_tcp_ports flags > S/SA keep state > > I think is: > pass in quick proto tcp from any to port $www_tcp_ports > > flags S/SA keep state > > > -- > Gilberto Villani Brito > System Administrator > Londrina - PR > Brazil > gilbertovb(a)gmail.com > > > > > > On 27/02/2008, Vadym Chepkov wrote: > > All, > > > > I must be doing something wrong, but I can't figure it out. > > I actually simplify the network structure, to keep it simple > > > > - a client and a web server are on different network segments; > > - all incoming connections to the client are prohibited; > > - client should be allowed to access web server and get a reply; > > > > Here are the rules: > > > > set state-policy floating > > pass in quick proto tcp to port $www_tcp_ports flags > > S/SA keep state > > block in log to > > > > In the pflog I can see that reply packet from www server is blocked on > > server's segment interface. I thought 'set state-policy floating' > > should create a rule interface independent and allow a reply? Am I > > wrong? > > > > Thank you, > > > > Vadym Chepkov > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >