Date: Mon, 2 Dec 2019 20:40:47 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191202134047.GA14183@admin.sibptus.ru> In-Reply-To: <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Max wrote: >=20 > Is this a complete ruleset?=20 For this lab, yes, almost complete. There is only one more line,=20 "nat on $outside ...", but strickly speaking, "nat" is not a rule. > What about "pass out..." rules?=20 Why would I need them? In pf, it's "pass" by default. > You should=20 > check other rules since you have no "quick" in your listed rules.=20 1. There are no other rules.=20 2. Even if there were, they should be irrelevant because the "pass in on $inside" rule should create state, and states are processed before rules. > The last matching rule decides what action is taken. The last matching rule on the $inside interface is=20 "pass in on $inside".=20 The last matching rule on the $outside interface is "block in on $dmz from any to 192.168.0.0/16" --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5RRfAAoJEA2k8lmbXsY0IVQH/3uLinEhG3C2k5vhqiv+H8ub zv918ful+2M/vMotzw0QyddUUEOfWFmK/PdUcRWAL9RaOtNzatPKooSSvS/v5stq O/38N+n2/U8aCWzB8dhRMjM91kckGKHy5Tp42D6qGxyXvA/p8Wyx0sO3eevsVgcz j7IvFk0tnWejoECfUTg+whCXHon1Izo9mEYqKNaEoC/U2f2rG5PkfH58mUB3C7Jd ucHJBuJK/CwMydh10mLECEljR0lhM3Qt+lqFWTQpzj19uXnmLspKnwhRrEUGPtX4 T8DmCNMqz2laGVKqD4xS54yN1e1XN99DGYYD/jWICshF9CSVURtsAcfAPzkPQ5w= =aTtq -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191202134047.GA14183>