On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote: > > > > I did test the folowing ruleset: > > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state > > block drop out log quick on ep0 all > > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 > > > > And there it works, but doesn't solve my problem unfrotunately. > > And why doesn't it solve your problem? > > You really are going to have to either keep state on ep0 or allow > everything that's legal in "pass out on ep0" statements. > > For example: > > block all > pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 > pass out on ep0 inet from 10.0.0.2 to 1.2.3.1 > pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state >
And why is that so? This bascially rules out keep state on outgouing packets on any router-type system. That seems like an unnecessary limitation. I have not yet heart any reason why this is the case. pf was modelled after ipf, so I wonder why this change in state handling was introduced. -Guido _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
