Date: Wed, 3 Sep 2008 15:52:04 +0200 From: Guido van Rooij <guido@gvr.org> To: Jon Radel <jon@radel.com> Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <20080903135204.GA28111@gvr.gvr.org> In-Reply-To: <48BE9038.8020303@radel.com> References: <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com> <20080903125407.GA27232@gvr.gvr.org> <48BE9038.8020303@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote: > > > > I did test the folowing ruleset: > > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state > > block drop out log quick on ep0 all > > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 > > > > And there it works, but doesn't solve my problem unfrotunately. > > And why doesn't it solve your problem? > > You really are going to have to either keep state on ep0 or allow > everything that's legal in "pass out on ep0" statements. > > For example: > > block all > pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 > pass out on ep0 inet from 10.0.0.2 to 1.2.3.1 > pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state > And why is that so? This bascially rules out keep state on outgouing packets on any router-type system. That seems like an unnecessary limitation. I have not yet heart any reason why this is the case. pf was modelled after ipf, so I wonder why this change in state handling was introduced. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903135204.GA28111>