On Wed, Sep 03, 2008 at 06:17:59PM +0200, Peter Wullinger wrote: > > At little bit of guessing led me to the (possible, I have not tested > this) culprit: Is your state-policy set to "floating" or "if-bound"?
I tyried both, but there is no difference. > > >From a casual look at the log entries and traffic snapshots you have sent, > this seems to be pf working in "if-bound" mode. In this case, the > created state table entry matches incoming on bge0, but not on > outgoing on ep0 any more (packets pass through pf twice, as expected). > > This still maybe a bug, but it's common to rule out all possible > culprits before spreading blame. > True, but as state is created on the outbound interface for the first packet (bge), there is no corresponding incoming interface yet. At least with ipf, the return packet would first match the recorded outgoing interface (bge). Then it follows the gateway's internal routing. When it then goes out and passes through the firewall-code, it notices it does not yet know the interface (ep0) and records it in the state entry and passes it. This makes perfect sense: when the original packet would have arrived at a different interface than bge0, there must have been some kind of spoofing and should have been blocked in the first place. -Guido _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
