Date: Tue, 23 Jun 2009 21:31:27 -0700 From: Fire walls <fayerwall@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Understanding the keep state? Message-ID: <b61774460906232131m77b23a56seec6c7ba649dc8d6@mail.gmail.com> In-Reply-To: <4A41814B.7010909@gmail.com> References: <b61774460906231758h172e2258gab1b6d6a948d65f1@mail.gmail.com> <4A41814B.7010909@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 23, 2009 at 6:28 PM, Eric Williams <purpleshadow100@gmail.com>wrote: > On 6/23/2009 7:58 PM, Fire walls wrote: > > > > Working this way, where is the best way to put the "keep state" > statement, > > in the "LAN Rules" or in the "Firewall Rules" or in both parts? > > > > Thanks all for your help, if Im doing this the wrong way please let me > > know, I want to get a deep understanding of pf. > > Excluding certain rare cases, generally you want to keep state on all > rules. Because of this more recent pf versions keep state by default. If > you have a particular reason you don't want state kept, you need to use > the "no state" statement, however, take note that if you're using NAT, > you need state for proper routing of responses. > > Thanks for your quick answer. Them in make case is better to have: *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA keep state *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state Like u say, the current version add the "keep state" by default, is the same thing I'm doing here, there will not be any problem? Thanks for your help!!! -- :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b61774460906232131m77b23a56seec6c7ba649dc8d6>