Hi Alexandr,
Thanks for the explainations.
This all makes sense.. except the part of the outgoing packet on gw1, destined
for gw2 across the linknet.
> there is no state which matches outbound reply at gw1. unless oubtound
> interface
> towards gw2 is in admin/external/linknet group, the outbound icmp reply packet
> will match the block all rule on gw1.
The linknet interface *is* in the linknet group.
So it should match this rule and be allowed? -
pass out quick on { admin, external, linknet }
..and in the case of ICMP, even if you ignore the above rule, it should be
allowed by:
pass quick proto { icmp, icmp6 }
Thanks,
Ian
On Tue, 3 May 2022, at 12:05 AM, Alexandr Nedvedicky wrote:
> from gw2 point of view it makes sense, because we block everything inbound by
> 'block all' rule. Outbound TCP/UDP sessions are allowed. The first outbound
> packet creates state, which allows reply to come back. such state is also
> transmitted by pfsync to gw1.
>
> let's turn our attention to gw1, which is seeing a reply to request packet
> sent by gw2. There is a state on gw1 which allows inbound reply. The inbound
> reply gets forwarded and is abound to leave gw1 as outbound packet.
>
> there is no state which matches outbound reply at gw1. unless oubtound
> interface
> towards gw2 is in admin/external/linknet group, the outbound icmp reply packet
> will match the block all rule on gw1.
>
