Date: Fri, 23 Oct 2009 14:15:40 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: questions@freebsd.org Subject: packet filter keep state doesn't Message-ID: <4AE19E6C.8030408@locolomo.org>
next in thread | raw e-mail | index | archive | help
Hi:
I have a setup like this:
LAN SRV
CLIENT ------- FBSD ------- GW/DSL ---- Internet
Now, I'd like my client to connect to the DSL box to manage it, so I
have create the following rules in my pf.conf:
pass in log quick on $FBSD_LAN inet proto tcp from CLIENT to GW \
port 80 flags S/SA keep state
pass out log quick on $FBSD_SRV inet proto tcp from $FBSD_IP \
to <Internet> port 80 keep state
block out log quick on $FBSD_SRV any
I added the log keyword for debugging. It turns out that the packet is
blocked by the last rule, despite the keep state.
Am I doing something wrong or is this how it is supposed to be? I
thought that I could just concentrate on the filtering the incomping
packets using keep state, then the out rules would only apply to packets
originating from the FBSD box.
The curious thing is that since the FBSD box does NAT for connections
with the Internet, packets destined for the Internet are not affected
Thanks, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AE19E6C.8030408>