Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Dec 2019 12:36:49 +0300
From:      Max <maximos@als.nnov.ru>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf's states
Message-ID:  <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
In-Reply-To: <20191202025642.GA99174@admin.sibptus.ru>
References:  <20191202025642.GA99174@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello.

Is this a complete ruleset? What about "pass out..." rules? You should 
check other rules since you have no "quick" in your listed rules. The 
last matching rule decides what action is taken.

02.12.2019 5:56, Victor Sudakov пишет:
> Dear Colleagues,
>
> I was asking this question on the freebsd-net mailing list, but I think
> it would be better to re-ask it here.
>
> There is something I cannot understand about pf's notion of state.
>
> Consider this very simple example with two interfaces:
>
> ===================================
> # DMZ 172.16.1.0/24
> pass in on $dmz
> #block in on $dmz from any to 192.168.0.0/16
>
> # Inside 192.168.10.0/24
> pass in on $inside
> ===================================
>
> While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3.
> But when I uncomment the "block ..." line and restart pf, I cannot do
> that any more. Why is that?
>
> My idea was that the "pass in on $inside" creates state so that return
> traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted,
> but this is not happening so I must be wrong in my understaning how
> state works.
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?90c1b342-b88a-a9bc-d475-4e6cd027f25c>