Thanks for your quick response Henning. I thought I was going mad.
Craig ----- Original Message ----- From: "Henning Brauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 10:02 AM Subject: Re: Replacing ipf with pf * Craig Bennett <[EMAIL PROTECTED]> [2004-01-27 00:01]: > Hi, > > I'm replacing an openbsd 2.8 firewall running IPF with an openbsd 3.4 > firewall running PF. > > It seems that the "keep state" rule functions differently between these two. > > In IPF, a rule like: > > pass in quick on rl0 from any to any port 25 keep state > > seems to implicitly allow the packets out on another interface (rl1). > > whereas in PF to get the same behaviour I seem to need: > > pass in quick on rl0 from any to any port 25 keep state > pass out quick on rl1 from any to any port 25 keep state > > Is this expected behaviour? yes. that was a design prerequisite. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
