need help with ipfw nat to pf nat migration
Victor Sudakov
vas at mpeks.tomsk.su
Thu Apr 4 07:52:20 UTC 2019
Artem Viklenko via freebsd-net wrote:
> >>
> >>> pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep
> >>> state allow-opts tag SERVER
> >>
> >> 2.
> >>
> >>> block return-rst out log quick on $mob_if inet proto tcp to any port 25
> >>> tagged SERVER
> >>
> >> You have already passed the packet with "quick" in the first rule, it
> >> probably will never hit the second "block" rule?
> >>
> >
> > No, each rule bound to different interface - i.e. different conditions.
>
> Actually, you should check state-policy in your configuration.
> In my firewalls there is already present
>
> set state-policy if-bound
>
> as routing typically static.
I had the impression that a packet matching a "quick" rule leaves pf
processing for good and is not evaluated by subsequent rules.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190404/045ee1ae/attachment.sig>
More information about the freebsd-net
mailing list