Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Dec 2019 12:23:08 +0200
From:      Artem Viklenko <artem@viklenko.net>
To:        Max <maximos@als.nnov.ru>, freebsd-pf@freebsd.org
Subject:   Re: pf's states
Message-ID:  <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net>
In-Reply-To: <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
References:  <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi!

Check current state-policy - if-bound or floating.
If it if-bound, out rules needed. If floating - state should pass traffic in 
reverse direction.


On 02.12.19 11:36, Max wrote:
> Hello.
> 
> Is this a complete ruleset? What about "pass out..." rules? You should check 
> other rules since you have no "quick" in your listed rules. The last matching 
> rule decides what action is taken.
> 
> 02.12.2019 5:56, Victor Sudakov пишет:
>> Dear Colleagues,
>>
>> I was asking this question on the freebsd-net mailing list, but I think
>> it would be better to re-ask it here.
>>
>> There is something I cannot understand about pf's notion of state.
>>
>> Consider this very simple example with two interfaces:
>>
>> ===================================
>> # DMZ 172.16.1.0/24
>> pass in on $dmz
>> #block in on $dmz from any to 192.168.0.0/16
>>
>> # Inside 192.168.10.0/24
>> pass in on $inside
>> ===================================
>>
>> While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" 
>> from 192.168.10.3.
>> But when I uncomment the "block ..." line and restart pf, I cannot do
>> that any more. Why is that?
>>
>> My idea was that the "pass in on $inside" creates state so that return
>> traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted,
>> but this is not happening so I must be wrong in my understaning how
>> state works.
>>
>>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
> 

-- 
Regards!

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1c3f3105-86c4-e61a-7d81-f4d794773542>