From owner-freebsd-pf@FreeBSD.ORG  Wed Sep  3 14:44:05 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 805801065672
	for <freebsd-pf@freebsd.org>; Wed,  3 Sep 2008 14:44:05 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195])
	by mx1.freebsd.org (Postfix) with ESMTP id 401318FC08
	for <freebsd-pf@freebsd.org>; Wed,  3 Sep 2008 14:44:05 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id 61BEB42D840; Wed,  3 Sep 2008 16:44:04 +0200 (CEST)
Date: Wed, 3 Sep 2008 16:44:04 +0200
From: Guido van Rooij <guido@gvr.org>
To: Artis Caune <artis.caune@gmail.com>
Message-ID: <20080903144404.GB28697@gvr.gvr.org>
References: <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com>
	<20080903125407.GA27232@gvr.gvr.org> <48BE9038.8020303@radel.com>
	<20080903135204.GA28111@gvr.gvr.org> <48BE9B74.90404@radel.com>
	<9e20d71e0809030732v2d202cc5x74a33977d8d9ac64@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <9e20d71e0809030732v2d202cc5x74a33977d8d9ac64@mail.gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: keeping state on outgoing connections fails (?)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2008 14:44:05 -0000

On Wed, Sep 03, 2008 at 05:32:25PM +0300, Artis Caune wrote:
> >>>> I did test the folowing ruleset:
> >>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
> >>>> block drop out log quick on ep0 all
> >>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2
> 
> maybe "set skip on ep0" ?
> 

Nope. There will be outgoing keep state rules on ep0. But not fro connections
which are already in the state table.

besides the skip would roll out all incoming rules as well.

-Guido