pf routing issue?
Ben Shelton
netbsd-pf at shelton.ca
Fri Mar 4 17:56:29 GMT 2005
Daniel Hartmeier wrote:
> On Fri, Mar 04, 2005 at 09:42:02AM -0800, Ben Shelton wrote:
>
>
>>pass in quick inet proto tcp from any to x.x.x.x keep state
>
>
> This allow only incoming packets (on any interface). It does not allow
> packets to go out through any interface. Even if a packet first comes in
> on one interface, and is then routed out through another interface, that
> second step is blocked, because the rule does not allow packets to go
> out through any interface. What else did you expect the 'in' option in
> that rule to do?
>
> If I understand you correctly, you've been trying to connect _from_ the
> firewall to another host (getting the 'no route to host' error, which
> has a new additional meaning, issued also when pf blocks an outgoing
> packet from a local socket), so you should expect outgoing packets on
> some interface...
I'm actually trying to connect from an outside host through the firewall
to a host behind the firewall. I understood that the keep state would
handle the return packet, am I wrong here?
Also, at various times during the testing I had included a second rule:
pass out quick inet proto tcp from x.x.x.x port 80 to any keep state
as well. I can't guarantee that I did this in a completely orderly
fashion (it was the middle of the night), but this didn't work then.
I *think* I have the basics down here, but there probably is something
completely braindead I've done.
Thanks for the response.
Ben
More information about the freebsd-pf
mailing list