Date: Mon, 2 Dec 2019 12:23:08 +0200 From: Artem Viklenko <artem@viklenko.net> To: Max <maximos@als.nnov.ru>, freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> In-Reply-To: <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! Check current state-policy - if-bound or floating. If it if-bound, out rules needed. If floating - state should pass traffic in reverse direction. On 02.12.19 11:36, Max wrote: > Hello. > > Is this a complete ruleset? What about "pass out..." rules? You should check > other rules since you have no "quick" in your listed rules. The last matching > rule decides what action is taken. > > 02.12.2019 5:56, Victor Sudakov пишет: >> Dear Colleagues, >> >> I was asking this question on the freebsd-net mailing list, but I think >> it would be better to re-ask it here. >> >> There is something I cannot understand about pf's notion of state. >> >> Consider this very simple example with two interfaces: >> >> =================================== >> # DMZ 172.16.1.0/24 >> pass in on $dmz >> #block in on $dmz from any to 192.168.0.0/16 >> >> # Inside 192.168.10.0/24 >> pass in on $inside >> =================================== >> >> While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" >> from 192.168.10.3. >> But when I uncomment the "block ..." line and restart pf, I cannot do >> that any more. Why is that? >> >> My idea was that the "pass in on $inside" creates state so that return >> traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted, >> but this is not happening so I must be wrong in my understaning how >> state works. >> >> > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Regards!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1c3f3105-86c4-e61a-7d81-f4d794773542>