On 04/07/2017 03:40, Takahiro Kurosawa wrote:
What if you change the line:
pass in inet proto tcp to port { ssh }
to:
pass in inet proto tcp to port { ssh } no state
close, but I had to use the "no state" on the "pass out" rules as well.
Now it looks like that:
-----------------------------------------------------------------------
scrub in all
set skip on lo0
pass in quick inet proto icmp from any to self no state
pass in quick inet proto tcp from any to self port { ssh } no state
block in quick log to self
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any no
state
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any no
state
pass out quick from self
-----------------------------------------------------------------------
Without "no state", the incoming ssh packet generates a pf state entry,
then the response packets are probably passed by the state instead of
using "route-to" rules.
that makes absolute sense...
Regards,
Nils
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
