On Wed, Oct 30, 2002 at 03:38:37PM -0300, Helio Alexandre Lopes Loureiro wrote:
> It is blocking all packet coming from a dns server on xl1 interfaces. > A stateful firewall is not designed to keep a "pass rule" over all > interfaces? I guessed rules were matched like: This actually is one of the more significant semantic difference in pf, a state entry doesn't allow matching packets to pass all interfaces, but only the interface the state was created for. States are limited to the interface they are created on. When filtering a connection on multiple interfaces (like with your 'block in all', which applies to all interfaces), you have to create state on each interface you want the connection to pass through. This might seem overly restrictive, but it allows you to define in detail what interfaces a connection may pass through. And often, you really don't need to filter on all interfaces, and the overly broad default block is not intentional. Daniel
