Date: Fri, 04 Mar 2005 09:56:06 -0800 From: Ben Shelton <netbsd-pf@shelton.ca> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? Message-ID: <4228A136.30707@shelton.ca> In-Reply-To: <20050304174927.GC6369@insomnia.benzedrine.cx> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Hartmeier wrote: > On Fri, Mar 04, 2005 at 09:42:02AM -0800, Ben Shelton wrote: > > >>pass in quick inet proto tcp from any to x.x.x.x keep state > > > This allow only incoming packets (on any interface). It does not allow > packets to go out through any interface. Even if a packet first comes in > on one interface, and is then routed out through another interface, that > second step is blocked, because the rule does not allow packets to go > out through any interface. What else did you expect the 'in' option in > that rule to do? > > If I understand you correctly, you've been trying to connect _from_ the > firewall to another host (getting the 'no route to host' error, which > has a new additional meaning, issued also when pf blocks an outgoing > packet from a local socket), so you should expect outgoing packets on > some interface... I'm actually trying to connect from an outside host through the firewall to a host behind the firewall. I understood that the keep state would handle the return packet, am I wrong here? Also, at various times during the testing I had included a second rule: pass out quick inet proto tcp from x.x.x.x port 80 to any keep state as well. I can't guarantee that I did this in a completely orderly fashion (it was the middle of the night), but this didn't work then. I *think* I have the basics down here, but there probably is something completely braindead I've done. Thanks for the response. Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4228A136.30707>