Date: Sun, 1 Dec 2019 23:11:53 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: pf's states Message-ID: <20191201161153.GA75091@admin.sibptus.ru>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Dear Colleagues, I was asking this question on the freebsd-net mailing list, but I think it would be better to re-ask it here. There is something I cannot understand about pf's notion of state. Consider this very simple example with two interfaces: =================================== # DMZ 172.16.1.0/24 pass in on $dmz #block in on $dmz from any to 192.168.0.0/16 # Inside 192.168.10.0/24 pass in on $inside =================================== While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3. But when I uncomment the "block ..." line and restart pf, I cannot do that any more. Why is that? My idea was that the "pass in on $inside" creates state so that return traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted, but this is not happening so I must be wrong in my understaning how state works. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd4+ZJAAoJEA2k8lmbXsY0Ha4H/1kNHozk5gX1umhKa6FLfRAz 8UfzehZk/R3b0kt7PHLavJFKYQp3TCCn0/GZpiSVFtL5UyVuAB/zvWBi8Rn7CGox 6Gc7rLSOdN90JkVJFx9ocMSK80aUM/A6jS0/lbrx/2v9BZA++wq9mo9zJJlBSLHA BmNXistTVd4eAQa/XadP0YQfRjBvAtrnhyMDyeW0PQz1LfYkWpvB95ayEoKJpvJt 5RfCTKCsdX/HdaxUUVmL6B7BrYSlKu12pKrt2MQ3LLrP+FWMewVen+/cj1KzT4C0 FMdjbhBO0QRT3M7qPQwLnby/gwE7V8BR4ELTra9xaGkfrT4ZOw7aR4gRJT6i+0c= =FkHD -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191201161153.GA75091>