Date: Tue, 27 Jun 2006 16:58:04 +0300 From: "N. Ersen SISECI" <siseci@gmail.com> To: freebsd-pf@FreeBSD.org Subject: Re: Keep State is not working on 6.1-RELAESE-p1 Message-ID: <44A1396C.7040708@gmail.com>
next in thread | raw e-mail | index | archive | help
So we dont have a "keep state" interpretation like ipf etc.... (OK I understand floating option for state table. It is not related with our problem...) What we are looking for is to be able to pass through firewall with one set of rule per allowed traffic like it is used to be in ipf like firewalls. For pf a solution we come up with: pass in quick ... port 22 ... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ .... .... #last rules block in all #let everything out with a new state entry pass out all keep tagged XYZ Is there another way to securely let everything "pass through" firewall? without having to write another rule for outgoing packets. We have hundreds of rules on our gateway, and it is quite difficult to dublicate rules and keep track of incoming interface as well as the outgoing interface... Thanx for your help N. Ersen SISECI http://www.enderunix.org Daniel Hartmeier yazm?s,: > > On Tue, Jun 27, 2006 at 01:36:52PM +0300, N. Ersen SISECI wrote: > > > > > >> >> My first rule is pass in all with keep state. But the packets do not >> >> seem to be able pass out from the other interface. If i change the last >> >> block's to "pass" everything works fine. It seems that the state table >> >> is always on if-bound'ed??? >> >> >> >> Is there a solution for this problem, or do I miss a configuration with >> >> kernel, pf, pf.conf etc... ??? or is this a bug :) >> >> >> > > > > Neither, your interpretation of 'floating' does not match reality, see > > > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238&w=2 > > > > In short, create two state entries per connection. > > > > Daniel > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44A1396C.7040708>