Date: Sun, 1 Dec 2019 23:11:53 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: pf's states Message-ID: <20191201161153.GA75091@admin.sibptus.ru>
next in thread | raw e-mail | index | archive | help
--Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, I was asking this question on the freebsd-net mailing list, but I think it would be better to re-ask it here. There is something I cannot understand about pf's notion of state.=20 Consider this very simple example with two interfaces: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # DMZ 172.16.1.0/24 pass in on $dmz #block in on $dmz from any to 192.168.0.0/16 # Inside 192.168.10.0/24 pass in on $inside =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" = =66rom 192.168.10.3. But when I uncomment the "block ..." line and restart pf, I cannot do that any more. Why is that? My idea was that the "pass in on $inside" creates state so that return traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted, but this is not happening so I must be wrong in my understaning how state works. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd4+ZJAAoJEA2k8lmbXsY0Ha4H/1kNHozk5gX1umhKa6FLfRAz 8UfzehZk/R3b0kt7PHLavJFKYQp3TCCn0/GZpiSVFtL5UyVuAB/zvWBi8Rn7CGox 6Gc7rLSOdN90JkVJFx9ocMSK80aUM/A6jS0/lbrx/2v9BZA++wq9mo9zJJlBSLHA BmNXistTVd4eAQa/XadP0YQfRjBvAtrnhyMDyeW0PQz1LfYkWpvB95ayEoKJpvJt 5RfCTKCsdX/HdaxUUVmL6B7BrYSlKu12pKrt2MQ3LLrP+FWMewVen+/cj1KzT4C0 FMdjbhBO0QRT3M7qPQwLnby/gwE7V8BR4ELTra9xaGkfrT4ZOw7aR4gRJT6i+0c= =FkHD -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191201161153.GA75091>