Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Dec 2019 20:40:47 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf's states
Message-ID:  <20191202134047.GA14183@admin.sibptus.ru>
In-Reply-To: <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
References:  <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Max wrote:
>=20
> Is this a complete ruleset?=20

For this lab, yes, almost complete. There is only one more line,=20
"nat on $outside ...", but strickly speaking, "nat" is not a rule.

> What about "pass out..." rules?=20

Why would I need them? In pf, it's "pass" by default.

> You should=20
> check other rules since you have no "quick" in your listed rules.=20

1. There are no other rules.=20

2. Even if there were, they should be irrelevant because the
"pass in on $inside" rule should create state, and states are processed
before rules.

> The last matching rule decides what action is taken.

The last matching rule on the $inside interface is=20
"pass in on $inside".=20

The last matching rule on the $outside interface is
"block in on $dmz from any to 192.168.0.0/16"


--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJd5RRfAAoJEA2k8lmbXsY0IVQH/3uLinEhG3C2k5vhqiv+H8ub
zv918ful+2M/vMotzw0QyddUUEOfWFmK/PdUcRWAL9RaOtNzatPKooSSvS/v5stq
O/38N+n2/U8aCWzB8dhRMjM91kckGKHy5Tp42D6qGxyXvA/p8Wyx0sO3eevsVgcz
j7IvFk0tnWejoECfUTg+whCXHon1Izo9mEYqKNaEoC/U2f2rG5PkfH58mUB3C7Jd
ucHJBuJK/CwMydh10mLECEljR0lhM3Qt+lqFWTQpzj19uXnmLspKnwhRrEUGPtX4
T8DmCNMqz2laGVKqD4xS54yN1e1XN99DGYYD/jWICshF9CSVURtsAcfAPzkPQ5w=
=aTtq
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191202134047.GA14183>