Date: Wed, 26 Feb 2020 02:55:15 -0800 From: Doug Hardie <bc979@lafn.org> To: FreeBSD <freebsd-questions@freebsd.org> Subject: pf usage Message-ID: <A9F6E326-01C8-44C3-8BD0-D613E4EAFEED@mail.sermon-archive.info>
next in thread | raw e-mail | index | archive | help
I just learned something quite unexpected about pf. Some time ago, the = rules had to include "state" to have pf track state. However, later pf = was changed to always assume "state" thus reducing the typing of the = rules. The description of that change made me believe that the change = was in pf. On one of my systems with two NICs and two different = internet providers, I was using pftop to track usage. The only states I = saw were for just one network. The other one never showed any states, = but the packets were delivered properly. I discovered that pf has to have a rule for each interface. I used = "pass all" for the interface that needed no other rules. The change = apparently was made to pfctl not pf. So the one interface had no rules, = and hence there was nothing to tell pf to track state. -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A9F6E326-01C8-44C3-8BD0-D613E4EAFEED>