From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 04:31:28 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17644106566C for ; Wed, 24 Jun 2009 04:31:28 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-px0-f191.google.com (mail-px0-f191.google.com [209.85.216.191]) by mx1.freebsd.org (Postfix) with ESMTP id E005B8FC1A for ; Wed, 24 Jun 2009 04:31:27 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pxi29 with SMTP id 29so210428pxi.3 for ; Tue, 23 Jun 2009 21:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=G+AC9yFju+yX4dWqoFvZA6YB3jjGIJA73ZcRcB3DHdQ=; b=d500mJ2r8wYuzVLQF8mZZe8PVAvMtImIFQ6iR6N1gYXFtaKHjKQ1GC99XKBqYetvi/ MehYkFZGlq5j9QueO1b6R3FxuKY9Qe7mpCYL8OghRvPFRaeqTMsX6CKBUxmNh1TWgNjA s0XmAQdUEtxLtJ7hjSXKkHAbbV+6mWnsGe1pA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=wZftkLnWsrkXwFauJop48tzgMrvjW1X3dxAm5K2/0nyot4YTO2tCtBn9l5j9qkSQKI Aq7vY48S2pOU81xwbvWFcmO0dMbnwrI44afuRW/epy2iJjVdN0ROe6trsQPz0v+kcrXH CUR5jGtQOA2ZGTSbJ+T93UqV3Redt56ChcdPs= MIME-Version: 1.0 Received: by 10.143.13.16 with SMTP id q16mr268701wfi.67.1245817887509; Tue, 23 Jun 2009 21:31:27 -0700 (PDT) In-Reply-To: <4A41814B.7010909@gmail.com> References: <4A41814B.7010909@gmail.com> Date: Tue, 23 Jun 2009 21:31:27 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Understanding the keep state? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 04:31:28 -0000 On Tue, Jun 23, 2009 at 6:28 PM, Eric Williams wrote: > On 6/23/2009 7:58 PM, Fire walls wrote: > > > > Working this way, where is the best way to put the "keep state" > statement, > > in the "LAN Rules" or in the "Firewall Rules" or in both parts? > > > > Thanks all for your help, if Im doing this the wrong way please let me > > know, I want to get a deep understanding of pf. > > Excluding certain rare cases, generally you want to keep state on all > rules. Because of this more recent pf versions keep state by default. If > you have a particular reason you don't want state kept, you need to use > the "no state" statement, however, take note that if you're using NAT, > you need state for proper routing of responses. > > Thanks for your quick answer. Them in make case is better to have: *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA keep state *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state Like u say, the current version add the "keep state" by default, is the same thing I'm doing here, there will not be any problem? Thanks for your help!!! -- :-)