Date: Mon, 2 Dec 2019 15:18:08 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <9c221ef5-e300-378b-1db8-6de18e652000@tuxpowered.net> In-Reply-To: <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd Content-Type: multipart/mixed; boundary="i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3"; protected-headers="v1" From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Message-ID: <9c221ef5-e300-378b-1db8-6de18e652000@tuxpowered.net> Subject: Re: pf's states References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> In-Reply-To: <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> --i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 02.12.19 11:23, Artem Viklenko via freebsd-pf wrote: > Hi! >=20 > Check current state-policy - if-bound or floating. > If it if-bound, out rules needed. If floating - state should pass > traffic in reverse direction. That's not true. Created pf states will always match bidirectional traffic. State-bound means that finding existing state of incoming packet is done not by normal TCP/IP quadruple but also incoming interface is checked. Floating is useful when you have a router and given TCP session can move from one uplink to another. Packets will still match connection established before. Interface-bound is useful if you have traffic passing twice via the same router, two ways. For example you run pf on a douter and one host behind the router wants to talk to another host behind the same router, but traffic is not routed by this router itself but always sent to another router. In this case packet incoming from originating host would be indistinguishable from packed bounced back by upstream router if not for interface being added to state key. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3-- --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXeUdIAAKCRDjtFCvbXs6 FFokAJ4s7W8McXIPDVDjkKmiPfFYZ6IdigCeLgElAB3MvoaOx648G/tTuHRBlEs= =KP5C -----END PGP SIGNATURE----- --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c221ef5-e300-378b-1db8-6de18e652000>