Date: Thu, 16 Sep 2004 03:50:22 -0000 From: Daniel Hartmeier <daniel@benzedrine.cx> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pfaltq-5.1.0.4 problem using fingerprinting Message-ID: <20030902193526.GD27851@insomnia.benzedrine.cx> In-Reply-To: <3F54B31C.8070106@dequim.ist.utl.pt> References: <3F54A3F9.3010101@dequim.ist.utl.pt> <3F54A64B.6090404@dequim.ist.utl.pt> <00ce01c3715e$961a0ce0$01000001@max900> <3F54B31C.8070106@dequim.ist.utl.pt>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 02, 2003 at 04:11:24PM +0100, Bruno Afonso wrote: > Although, I'm acessing through a "local" network, i'm always acessing > the external interface (public ip), so that's not the issue :-) Your assumption that connecting to the external address causes pf to filter on $ext_if is wrong. If you connect from the local network (to the external address), the packet will only pass through the internal interface. If pf lets it pass there, the stack of the pf box will detect that the destination is one of its own addresses, and pass it up to the listening socket. The packet never passes the external interface, and pf never gets to filter it on the external interface. Whether you use the internal or external address as destination just doesn't matter. This is a common misconception, I don't know where it comes from. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030902193526.GD27851>