From owner-freebsd-pf@FreeBSD.ORG Wed May 16 21:38:40 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D978E16A400 for ; Wed, 16 May 2007 21:38:40 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id B0C9613C45B for ; Wed, 16 May 2007 21:38:40 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HoRCh-0007X7-QP; Wed, 16 May 2007 21:38:39 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HoRCh-0004Wg-MQ; Wed, 16 May 2007 21:38:39 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id CDABC8E131; Wed, 16 May 2007 16:38:36 -0500 (CDT) Date: Wed, 16 May 2007 16:38:36 -0500 From: David DeSimone To: Tom Judge Message-ID: <20070516213836.GB22335@verio.net> References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <464B6A29.2020107@tomjudge.com> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 21:38:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge wrote: > > According to the diagram that Greg sent a link to state is checked for > every interface. However is the state information tied to an > interface? The answer is determined by the state-policy. In your configuration you can set state-policy to "if-bound" or "group-bound" or "floating". If you choose "if-bound", the state will stick to the interface chosen at time of initial evaluation of the rule. If packets start to flow through different interfaces, they will fail to match the state, and this will require a rulebase evaluation to be performed in order to determine if traffic should continue to flow. If you choose "floating" (which is the default), state is not bound to any particular interface, and it will not matter whether the packets arrive or leave on the same interfaces; only that the packet contents match the defined state. With this setting, I believe that your rule would only be evaluated once, and as long as the state entry lasts, PF will only examine the packets as far as state, and will skip the rulebase evaluation. It will perform this state evaluation TWICE, once for ingress, again for egress. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS3ncFSrKRjX5eCoRAsjtAJ91+qND3lFpBgxw1hcBDYH0cgk6DgCgmL0V ZSTZ9yfzLoxLDW/GE97YlYA= =ZAPt -----END PGP SIGNATURE-----