Hello, I'm stuck with understanding how does pf work with keeping state of the flows.
I expect the following simple ruleset to put the firewall in the state so any host on the network connected to fxp0 interface sending a packet with SYN bit set to other host accesible through firewall will create a state entry inside pf tables. The packet then leaves through fxp1 interface freely as there is an entry in the state table. int_if=fxp0 ext_if=fxp1 block in on $int_if pass in on $int_if inet proto tcp from $int_if:network to any flags S/SA keep state block out on $ext_if But it doesn't work as pf blocks the packet as it leaves the extrernal interface. If I correctly understand this situation happens because pf allows flow of packet only for the already establshed connections. But in this setup when a packet tries to leave the firewall the state of connection the packet belongs to is CLOSED->SYN_SENT thus pf drops it. And that makes 'keep state' unusable when I want to create a state based on incoming traffic. As I should add another rule that allows packets to leave and establish connection. Can someone correct me on this? Andrey Nepomnyaschih [EMAIL PROTECTED]
