On Sat, May 26, 2012 at 9:30 AM, Stuart Henderson <[email protected]> wrote: > On 2012-05-26, Jan Stary <[email protected]> wrote: >> The "Passing Traffic" example at >> http://www.openbsd.org/faq/pf/filter.html >> doesn't seem to be completely accurate. >> >> # Pass traffic in on dc0 from the local network, 192.168.0.0/24, >> # to the OpenBSD machine's IP address 192.168.0.1. Also, pass the >> # return traffic out on dc0. >> pass in on dc0 from 192.168.0.0/24 to 192.168.0.1 >> pass out on dc0 from 192.168.0.1 to 192.168.0.0/24 >> >> It's the "return" that bugs me: the first rule alone >> makes the _return_ traffic be passed. The second >> rule allows traffic that originates (creates state) >> on the way out. Right? >> >> > > Probably an incomplete conversion of the faq when the default was changed > to stateful. If someone wants to carefully go over faq/pf/ (or at least going > over one whole page rather than just parts of a page), check/update things > and send a diff, that would be very nice and there's a good chance it would > get committed.. >
It allows the router (or other machines not in the network) to reach others computer in the network, and I'm not sure if without that rule you would be able to do ssh 192.168.0.10 to 192.168.0.20 (sine you only got a state 192.168.0.10->192.168.0.1 and not 192.168.0.1->192.168.0.20). It allows for an instance: you want to reach your machine remotely that is behind the firewall 192.168.0.1, you do: 1 - ssh to your router or some machine that the router translates its ip to it. 2 - Access your machine inside the network without nat-ing direct access to it.
