From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 23 12:15:42 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E59C21065670
	for <questions@freebsd.org>; Fri, 23 Oct 2009 12:15:42 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id A00FB8FC14
	for <questions@freebsd.org>; Fri, 23 Oct 2009 12:15:42 +0000 (UTC)
Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org
	[172.16.1.127])
	by mail.locolomo.org (Postfix) with ESMTPSA id ABAAE1C1A67
	for <questions@freebsd.org>; Fri, 23 Oct 2009 14:15:40 +0200 (CEST)
Message-ID: <4AE19E6C.8030408@locolomo.org>
Date: Fri, 23 Oct 2009 14:15:40 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: 
Subject: packet filter keep state doesn't
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2009 12:15:43 -0000

Hi:

I have a setup like this:

             LAN          SRV
    CLIENT ------- FBSD ------- GW/DSL ---- Internet

Now, I'd like my client to connect to the DSL box to manage it, so I 
have create the following rules in my pf.conf:

pass  in log quick on $FBSD_LAN inet proto tcp from CLIENT to GW \
      port 80 flags S/SA keep state
pass  out log quick on $FBSD_SRV inet proto tcp from $FBSD_IP \
      to <Internet> port 80 keep state
block out log quick on $FBSD_SRV any

I added the log keyword for debugging. It turns out that the packet is 
blocked by the last rule, despite the keep state.

Am I doing something wrong or is this how it is supposed to be? I 
thought that I could just concentrate on the filtering the incomping 
packets using keep state, then the out rules would only apply to packets 
originating from the FBSD box.

The curious thing is that since the FBSD box does NAT for connections 
with the Internet, packets destined for the Internet are not affected

Thanks, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org