From owner-freebsd-questions@FreeBSD.ORG Tue Mar 22 12:51:37 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11A5416A4CE for ; Tue, 22 Mar 2005 12:51:37 +0000 (GMT) Received: from vs3.bgnett.no (vs3.bgnett.no [194.54.96.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46DAE43D2F for ; Tue, 22 Mar 2005 12:51:36 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from amidala.datadok.no.bgnett.no (amidala.datadok.no [194.54.103.98]) by vs3.bgnett.no (8.12.9p2/8.12.9) with ESMTP id j2MCpPBM040483; Tue, 22 Mar 2005 13:51:27 +0100 (CET) (envelope-from peter@bgnett.no) To: "Eugene M. Minkovskii" References: <20050320093159.GA3213@mccme.ru> <861xaamf9t.fsf@amidala.datadok.no> <20050321071227.GA29429@mccme.ru> <86eke9fn7o.fsf@amidala.datadok.no> <20050322120451.GA3137@mccme.ru> <86hdj36fho.fsf@amidala.datadok.no> <20050322124220.GB3137@mccme.ru> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Tue, 22 Mar 2005 13:49:36 +0100 In-Reply-To: <20050322124220.GB3137@mccme.ru> (Eugene M. Minkovskii's message of "Tue, 22 Mar 2005 15:42:20 +0300") Message-ID: <86d5tr6e1r.fsf@amidala.datadok.no> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-bgnett.no-virusscanner: Found to be clean X-Envelope-To: emin@mccme.ru, freebsd-questions@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: OpenBSD's pf and traffic X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2005 12:51:37 -0000 "Eugene M. Minkovskii" writes: > Just a moment, does it mean that your last rule allow any > incoming connections from world to clients if thay matched by > client2_inports, ANY, not only connections opened by clients? That rule would let new connections from anywhere pass on the allowed ports to the clients. This might be useful mainly if your firewall is between the world and one or more servers, though. > Moreover, I read in documentation, that state table reads BEFORE > rules, and connections that opened by clients in first rule: > > pass out on $ext_if from $client1 to any proto tcp $allowed_out \ > label client2 keep state > > whill not marked by label client2-in because thay don't pass to > this rule. Am I right? In a word, yes. The 'keep state' in these examples, would AFAIK mean that the counters would keep track of all traffic for a connection, so traffic initiated from the inside would match the pass out rule's counters, while connections opened from the outside would count on the pass in rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"