From owner-freebsd-pf@FreeBSD.ORG  Wed May 16 18:27:31 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5585D16A404
	for <freebsd-pf@freebsd.org>; Wed, 16 May 2007 18:27:31 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from s200aog11.obsmtp.com (s200aog11.obsmtp.com [207.126.144.125])
	by mx1.freebsd.org (Postfix) with SMTP id 9F59D13C48C
	for <freebsd-pf@freebsd.org>; Wed, 16 May 2007 18:27:30 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from source ([217.206.187.80]) by eu1sys200aob011.postini.com
	([207.126.147.11]) with SMTP; Wed, 16 May 2007 18:27:29 UTC
Received: from [10.0.0.89] (bill.mintel.co.uk [10.0.0.89])
	by rodney.mintel.co.uk (Postfix) with ESMTP id D093618141B
	for <freebsd-pf@freebsd.org>; Wed, 16 May 2007 19:06:20 +0100 (BST)
Message-ID: <464B487C.1050301@tomjudge.com>
Date: Wed, 16 May 2007 19:07:56 +0100
From: Tom Judge <tom@tomjudge.com>
User-Agent: Thunderbird 1.5.0.10 (X11/20070306)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Packet Path Through PF (onec for each interface?)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2007 18:27:31 -0000

Hi,

I have a question about the number of times a packet passes through pf 
on a router.

Take the following simple configuration

172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24

Does a packet being routed from em0 to em1 pass through PF twice?

Would the following example work to only pass ssh connections from 
172.31.0.0/24 into 172.31.1.0/41

pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 
22 keep state
block in log inet from any to any
block out log inet from any to any


Or do I have to have the follwoing rules for it to work?


pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 
22 keep state
pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 
22 keep state

block in log inet from any to any
block out log inet from any to any


In the second rule this indicates that the packet passes through PF once 
for each interface that it passes through, is this correct?

Thanks

Tom