Date: Mon, 19 Jun 2006 10:16:32 +0800 From: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> To: freebsd-pf@freebsd.org Subject: outgoing LAN traffic always in "keep state" Message-ID: <44960900.4000406@infoweapons.com>
next in thread | raw e-mail | index | archive | help
I have a minimum PF setup that sits in between my internal network(lan) and external network(wan). PF by design, bypasses ruleset evaluation(on external interfaces) for incoming packets on external interface that corresponds to an entry in the state table or a response to an internal generated packet. I observe this for TCP, UDP and also ICMP packets. Even if the matching rule in the internal interface do not have a "keep state", still the response packet bypasses the ruleset evaluation. Is there a way (force) to allow response packets to go thru ruleset evaluation? I just want to have full control of the incoming packets on the external interface wether they are response to a LAN traffic or not. I'll be implementing queueing soon and I think this PF behavior will affect badly. Has anyone experienced this? Thanks a lot. - sho
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44960900.4000406>