pf's states
Artem Viklenko
artem at viklenko.net
Mon Dec 2 10:23:26 UTC 2019
Hi!
Check current state-policy - if-bound or floating.
If it if-bound, out rules needed. If floating - state should pass traffic in
reverse direction.
On 02.12.19 11:36, Max wrote:
> Hello.
>
> Is this a complete ruleset? What about "pass out..." rules? You should check
> other rules since you have no "quick" in your listed rules. The last matching
> rule decides what action is taken.
>
> 02.12.2019 5:56, Victor Sudakov пишет:
>> Dear Colleagues,
>>
>> I was asking this question on the freebsd-net mailing list, but I think
>> it would be better to re-ask it here.
>>
>> There is something I cannot understand about pf's notion of state.
>>
>> Consider this very simple example with two interfaces:
>>
>> ===================================
>> # DMZ 172.16.1.0/24
>> pass in on $dmz
>> #block in on $dmz from any to 192.168.0.0/16
>>
>> # Inside 192.168.10.0/24
>> pass in on $inside
>> ===================================
>>
>> While the "block ..." line is commented out, I can "telnet 172.16.1.10 80"
>> from 192.168.10.3.
>> But when I uncomment the "block ..." line and restart pf, I cannot do
>> that any more. Why is that?
>>
>> My idea was that the "pass in on $inside" creates state so that return
>> traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted,
>> but this is not happening so I must be wrong in my understaning how
>> state works.
>>
>>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
--
Regards!
More information about the freebsd-pf
mailing list