Date: Thu, 4 Apr 2019 09:25:02 +0300 From: Artem Viklenko <artem@viklenko.net> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <27907a35-8cae-06d0-a0e6-b7deb64ecbfd@viklenko.net> In-Reply-To: <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru> <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> <20190404043004.GA10861@admin.sibptus.ru> <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04.04.19 08:22, Artem Viklenko via freebsd-net wrote: > 04.04.19 07:30, Victor Sudakov пише: >> >> 1. >> >>> pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep >>> state allow-opts tag SERVER >> >> 2. >> >>> block return-rst out log quick on $mob_if inet proto tcp to any port 25 >>> tagged SERVER >> >> You have already passed the packet with "quick" in the first rule, it >> probably will never hit the second "block" rule? >> > > No, each rule bound to different interface - i.e. different conditions. Actually, you should check state-policy in your configuration. In my firewalls there is already present set state-policy if-bound as routing typically static. "Your mileage may vary"... -- Regards!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27907a35-8cae-06d0-a0e6-b7deb64ecbfd>