> >I was looking at some of the sample pf rules given at:
> >http://www.openbsd.org/faq/pf/queueing.html .
> >
> >On the same page in the second example (Ex2: Company network) there is
> >a rule that accepts DNS(port 53) requests from 'wwwserv' to any on 'fxp1
> >inbound' as below:
> ># filter rules for fxp1 inbound
> >pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
> > keep state
> >
> >But 'fxp0' does NOT allow any new 'outbound' connections except from the
> >'int_net'. Would that mean that DNS packets are not allowed outside the
> >firewall and the above rule was written in vein?? I am missing
> >something here..
>
> Note the 'keep state' at the end of that rule. This tells pf (roughly
> speaking) to allow further communication in both directions until the
> tcp connection is terminated. (For udp, it allows 'related' datagrams
> in both directions -- I'm not sure exactly what the definition of
> 'related' is, but it allows udp-based protocols to work.)
So does the "keep state" actually refers to the whole firewall rather than
just the interface it was assigned to?? coz otherwise the first 'syn'
packet of a DNS connection going out from fxp0 wouldn't be accepted.
The reason I was initially thinking that "keep state" just pertains to a
particular interface was because of these two rules in the same example :
# filter rules for fxp0 outbound
pass out on fxp0 from $int_nets to any keep state
# filter rules for dc0 inbound
pass in on dc0 from $int_nets to any keep state
thanks,
srikanth.
