pf's states
Victor Sudakov
vas at sibptus.ru
Mon Dec 2 02:56:45 UTC 2019
Dear Colleagues,
I was asking this question on the freebsd-net mailing list, but I think
it would be better to re-ask it here.
There is something I cannot understand about pf's notion of state.
Consider this very simple example with two interfaces:
===================================
# DMZ 172.16.1.0/24
pass in on $dmz
#block in on $dmz from any to 192.168.0.0/16
# Inside 192.168.10.0/24
pass in on $inside
===================================
While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3.
But when I uncomment the "block ..." line and restart pf, I cannot do
that any more. Why is that?
My idea was that the "pass in on $inside" creates state so that return
traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted,
but this is not happening so I must be wrong in my understaning how
state works.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191202/b1807880/attachment.sig>
More information about the freebsd-pf
mailing list