Date: Mon, 2 Dec 2019 09:56:42 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: pf's states Message-ID: <20191202025642.GA99174@admin.sibptus.ru>
next in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, I was asking this question on the freebsd-net mailing list, but I think it would be better to re-ask it here. There is something I cannot understand about pf's notion of state.=20 Consider this very simple example with two interfaces: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # DMZ 172.16.1.0/24 pass in on $dmz #block in on $dmz from any to 192.168.0.0/16 # Inside 192.168.10.0/24 pass in on $inside =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" = =66rom 192.168.10.3. But when I uncomment the "block ..." line and restart pf, I cannot do that any more. Why is that? My idea was that the "pass in on $inside" creates state so that return traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted, but this is not happening so I must be wrong in my understaning how state works. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5H1qAAoJEA2k8lmbXsY0aJAH/2d5IUdk4bnzj/I/K2+EcgqW Q2kgTKih2LThhyGFG/AAw8YrdXJdobCyyzDpOr9gGOS6qUjx/6Ku7zDFW2HXoD57 zx+gl5o4ztUrvqvzsq/BQkZWQs1fvfAVzmEhPCq2LSP9QWkHucMfOXF/I2RaXKgI CbJuGgZX2WEmMJPNoa7zO+SCfuAUhLXnRwwdypv8cQoAVyX0TmpNXrWydk9wsCkA JDe2g7nTCB8YQR4oh0VExhdhLXuq9LzGcOhbAAAUIm0RJDODE5/is/a4/oHkx4hp ifEtf+hXveeJSrdAYTuVIW1hzPUW7f3WSZLjewPdGjwVBiL/XCF0IiswhbVKmfA= =B905 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191202025642.GA99174>