on 18/10/04 1:35 am, Trevor Talbot at [EMAIL PROTECTED] wrote: > On Sunday, Oct 17, 2004, at 14:15 US/Pacific, [EMAIL PROTECTED] > wrote: > >> On So, 17 Okt 2004, Oliver Humpage wrote: >> >>> State only works on the interface on which it was created. You will >>> need another keep state rule on the external interface allowing >>> packets out. >> >> pf.conf(5) says that state is floating by default. So in my opinion it >> should not be necessary to add an additional pass out rule.
Learn something new every day. Sorry for misinformation, this was just my experience. > States always match address pairs directionally. Even though > "floating" is not physically tied to an interface, the packets on the > external interface will be "going the wrong way" with respect to their > addresses, and won't match state. How do you mean "wrong way"? If state merely matches source and destination IPs and ports, that should stay the same whether the packet is entering or leaving the system (if there's no nat). Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
