2007/1/17, Brian Candler <[EMAIL PROTECTED]>:
Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:
pkt1 +----------------+ pkt1'
-------> | ext_if int_if | ------>
<------- | | <------
pkt2 +----------------+ pkt2'
A rule which matches pkt1 inbound on ext_if with "keep state" will also
match pkt2 outbound on ext_if.
But I believe you will need another rule to permit pkt1' outbound via
int_if. If that rule has "keep state" then it will also match pkt2' inbound
via int_if.
If you look at the example at
http://www.openbsd.org/faq/pf/example1.html
you will see that they deal with this by a global "pass out keep state"
rule. Try adding this to your ruleset after your "block in log all"
Thanks Brian. I've added the global pass out this morning and
everything has started to work, but I wasn't sure why this was needed.
Now I think I understand; every state is a [src, dst, direction] tuple
which lets pass [src -> dst, direction ] and [dst -> src,
not(direction)], but not [ src-> dst, not(direction) ] packets. In my
case:
[192.168.1.161 -> dmz_ip, in ] and [dmz_ip -> 192.168.1.161, out ] passed but
[192.168.1.161 -> dmz_ip, out] and [dmz_ip -> 192.168.1.161, in ] did not
is that?
I see that I was also misinterpreting state-policy.
The old pf.conf was full of pass out rules, which I assumed were
needed because of a "block out all" rule. I also realize that a couple
states are needed for every session.
Thanks again
