nat pass and state
Jason C. Wells
jcw at highperformance.net
Wed May 21 01:54:28 UTC 2008
I have these rules (and others) in pf.conf:
nat pass on $ext_if from $int_net to any -> ($ext_if)
block in all
block out all
I cannot connect to websites unless I also add:
pass proto { tcp, udp } from any to any port http keep state
My understanding is that nat rules are inherently stateful. I also
understand that a packet that matches state bypasses filter rules. A
hit on a web page should generate a state on the way out and then match
that state on the way back in, avoiding the block rules. By testing, I
show that the pass http rule is needed to complete the connection.
Would someone please explain why the nat rule is not sufficient to allow
me to access a web page? I must have a gross conceptual error on how PF
works. This is too simple, but I just don't get it.
Regards,
Jason
More information about the freebsd-pf
mailing list