Date: Sun, 18 Jun 2006 22:33:15 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" Message-ID: <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com> In-Reply-To: <44960900.4000406@infoweapons.com> References: <44960900.4000406@infoweapons.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Post your ruleset and people can help you. You're probably using nat/rdr/binat which create states. -Kian On 6/18/06, Ronnel P. Maglasang <rmaglasang@infoweapons.com> wrote: > > I have a minimum PF setup that sits in between my internal network(lan) > and external network(wan). PF by design, bypasses ruleset evaluation(on > external interfaces) for incoming packets on external interface that > corresponds > to an entry in the state table or a response to an internal generated > packet. > I observe this for TCP, UDP and also ICMP packets. Even if the matching > rule > in the internal interface do not have a "keep state", still the response > packet > bypasses the ruleset evaluation. Is there a way (force) to allow response > packets to go thru ruleset evaluation? I just want to have full control of > the incoming packets on the external interface wether they are response to > a LAN traffic or not. I'll be implementing queueing soon and I think this > PF behavior will affect badly. Has anyone experienced this? > > Thanks a lot. > - sho > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40606182233v3b280dbbgfa57a30f311c4ef7>