From owner-freebsd-pf@FreeBSD.ORG Thu May 17 00:06:59 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F2DD16A407 for ; Thu, 17 May 2007 00:06:59 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.185]) by mx1.freebsd.org (Postfix) with ESMTP id B681813C448 for ; Thu, 17 May 2007 00:06:58 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by mu-out-0910.google.com with SMTP id w8so236184mue for ; Wed, 16 May 2007 17:06:57 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mKv37zA3/N6gOPyka6z4pWoSNr6lGbisOmzN10U+QieYtSuCyTe+IJDirQOvgr/cET4/EoABMomita8dx2Uidu77hQd+xJu1DaREdKYkmklznznzHcrleDINQr3l7rmkdvopJb6wfoP29/GojeNkNVY20r9k5bLBpOECu8u31kI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HemK9tmLB/fejAXwPJBbsDIywWcbUuOqqdJ0MBeS4NCiGuO8elwb/0R0042lmSsyRfR585jDw/D4SAsNNq4H/zUJ5Ms9PEJMARWXGSWIcprKWhhLBP9DYap88zRXIcwPoHHhMw3lhRxusmlE95h5dWZZJrmq9u00CgYFcgMQDa4= Received: by 10.82.177.3 with SMTP id z3mr5921887bue.1179360416517; Wed, 16 May 2007 17:06:56 -0700 (PDT) Received: by 10.82.175.9 with HTTP; Wed, 16 May 2007 17:06:56 -0700 (PDT) Message-ID: Date: Wed, 16 May 2007 17:06:56 -0700 From: "Kian Mohageri" To: "Tom Judge" In-Reply-To: <464B7E3D.1030507@tomjudge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com> <20070516213836.GB22335@verio.net> <464B7E3D.1030507@tomjudge.com> Cc: David DeSimone , freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 May 2007 00:06:59 -0000 On 5/16/07, Tom Judge wrote: > em0 and bge0 > em2 and bce0 > em3 and bce1 > > Do all the interface names have to match on the HA pair? Yes they do - but that is only if you use an if-bound state-policy, which isn't default. Keep in mind also that states also have a direction associated with them. Take this for example from my firewalls: # pfctl -ss | grep 66.165.31.204 all tcp 66.165.31.204:22 <- 71.227.220.29:1854 ESTABLISHED:ESTABLISHED all tcp 71.227.220.29:1854 -> 66.165.31.204:22 ESTABLISHED:ESTABLISHED You should read Daniel Hartmeier's (PF developer) 3-part article on Undeadly. Maybe it will clear things up for you. http://www.undeadly.org/cgi?action=article&sid=20060927091645 Kian