From owner-freebsd-pf@FreeBSD.ORG  Mon Dec 12 10:08:53 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C91B316A41F
	for <freebsd-pf@freebsd.org>; Mon, 12 Dec 2005 10:08:53 +0000 (GMT)
	(envelope-from thecoba@gmail.com)
Received: from dragon.relcom.ru (relay1.relcom.ru [194.220.212.125])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E32A343D60
	for <freebsd-pf@freebsd.org>; Mon, 12 Dec 2005 10:08:52 +0000 (GMT)
	(envelope-from thecoba@gmail.com)
Received: from [192.168.20.52] (direct.severen.ru [195.95.201.5]) by
	dragon.relcom.ru with esmtpsa (encrypted)
	id 1Elkal-000Npm-7u for freebsd-pf@freebsd.org; (v1.249)
	(envelope-from <thecoba@gmail.com>); Mon, 12 Dec 2005 13:07:35 +0300
Message-ID: <439D4C88.8070802@gmail.com>
Date: Mon, 12 Dec 2005 13:10:16 +0300
From: thecoba@gmail.com
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051013)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: keep state rules on vlan?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2005 10:08:53 -0000

hey

i have weird problem with keep state outgoing connections on vlan 
interface. And im getting blocks for outgoing traffic on $eif2.
If configure pf w/o keep state everything works nice.
But with keep state rules it wont work.
I also have keep states on parent interface of vlan maybe they kill vlan 
rules or have some strange effect with them?

uname:
FreeBSD XXX 6.0-RELEASE FreeBSD 6.0-RELEASE #0

pf.conf:
# pf.conf
#

set loginterface none
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"

eif="fxp0"
iif="em0"
iif2="vlan1"
eif2="vlan0"
pfsyncif = "pfsync0"
loopif = "lo0"
set block-policy return
scrub in on $eif all
scrub in on $eif2 all

pass out on $eif proto tcp from any to any flags S/SA keep state
pass out on $eif proto { udp, icmp } from any to any keep state

pass out on $eif2 proto tcp from any to any flags S/SA keep state
pass out on $eif2 proto { udp, icmp } from any to any keep state

pass out on $eif route-to ($eif2 gw1) from $eif2 to any
pass out on $eif2 route-to ($eif gw2) from $eif to any