Is there any documentation that explains why it is done that way? Or everyone here has gathered this information by the means of trials and errors?
> -----Original Message----- > From: Oliver Humpage [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 17, 2004 10:24 PM > To: Andrey Nepomnyaschih > Cc: [EMAIL PROTECTED] > Subject: Re: Keep State > > On Sun, 17 Oct 2004, Andrey Nepomnyaschih wrote: > > > int_if=fxp0 > > ext_if=fxp1 > > > > block in on $int_if > > pass in on $int_if inet proto tcp from $int_if:network to > any flags > > S/SA keep state > > > > block out on $ext_if > > > > But it doesn't work as pf blocks the packet as it leaves > the extrernal > > interface. > > State only works on the interface on which it was created. > You will need another keep state rule on the external > interface allowing packets out. > > Oliver. > > -- > Oliver Humpage > ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 > > E-mails received are assumed to be for my attention, to do > with as I wish. > No responsibility is accepted if communications are sent to > me in error. > This disclaimer has as much legal status as yours. > >
