On 2007/09/21 23:55, Ilya A. Kovalenko wrote: > >> block in inet from 192.168.0.1 to 192.168.114.31 > >> pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state > >> (does not work - neither pings nor TCP) > > Here, you only pass the *inbound* packets; you also must > > pass the outbound packets on the opposite interface. > > So, single state entry affects traffic on single interface only ?
It depends how the rule is written. In this example, you pass: (src 192.168.114.31, dst 192.168.0.1, inbound) i.e. packets from outside to inside are passed in to the firewall but you are missing: (src 192.168.114.31, dst 192.168.0.1, outbound) i.e. these packets are not allowed out of the firewall to the destination. for the return traffic, you permit: (src 192.168.0.1, dst 192.168.114.31, outbound, where it matches the ports and sequence number from the above session) i.e. return packets are allowed *out* of the firewall you are missing: (src 192.168.0.1, dst 192.168.114.31, inbound) ...but they aren't allowed *in* to the firewall in the first place Is that any clearer?
