You forgot
pass out ...
Andrey Neponimayesh wrote:
Hello,
I'm stuck with understanding how does pf work with keeping state of the flows.
I expect the following simple ruleset to put the firewall in the state so any host on the network connected to fxp0 interface sending a packet with SYN bit set to other host accesible through firewall will create a state entry inside pf tables. The packet then leaves through fxp1 interface freely as there is an entry in the state table.
int_if=fxp0 ext_if=fxp1
block in on $int_if pass in on $int_if inet proto tcp from $int_if:network to any flags S/SA keep state
block out on $ext_if
But it doesn't work as pf blocks the packet as it leaves the extrernal
interface.
If I correctly understand this situation happens because pf allows flow of packet only for the already establshed connections. But in this setup when a packet tries to leave the firewall the state of connection the packet belongs to is CLOSED->SYN_SENT thus pf drops it. And that makes 'keep state' unusable when I want to create a state based on incoming traffic. As I should add another rule that allows packets to leave and establish connection.
Can someone correct me on this?
Andrey Nepomnyaschih [EMAIL PROTECTED]
