** Reply to message from Srikanth Sagiraju
<[EMAIL PROTECTED]> on Tue, 2 Nov 2004 11:44:30 -0500 (EST)
>So does the "keep state" actually refers to the whole firewall rather than
>just the interface it was assigned to?? coz otherwise the first 'syn'
>packet of a DNS connection going out from fxp0 wouldn't be accepted.
>
>The reason I was initially thinking that "keep state" just pertains to a
>particular interface was because of these two rules in the same example :
> # filter rules for fxp0 outbound
> pass out on fxp0 from $int_nets to any keep state
> # filter rules for dc0 inbound
> pass in on dc0 from $int_nets to any keep state
I'm no expert on pf, just someone who's managed to put together a
firewall configuration that seems to work. There's an option which
controls whether state is confined to a single interface or is shared
among all interfaces; I've chosen to restrict it to individual
interfaces, so I haven't carefully investigated how the shared version
would work.
Dave
--
Dave Anderson
<[EMAIL PROTECTED]>
