On Sun, 16 May 2004, Tim Kornau wrote:
On Fri, 14 May 2004 at 14:50 -0400, Roy Morris wrote:
I am working with a simple two interface route/pf and block in and out packets
on all interfaces. It makes sense that you would have to have a rule to allow
the packet in on if-a, but I would have thought the state would carry across
to if-b, without having to place another rule that said let the packet out. I
have tried the 'set state-policy', although floating is the default and should
be passing this along??
Hello Roy,
Without your pf.conf this Mail cannot be completely answered but
mybe there is a hint that i can give you that might resolve the
situation. The "state" is kept with the default setting of floating
Presumably because, with a default block in/out, the traffic ingresses one
interface, the state is create, but when it egresses another interface it
is "re-evaluated" ?
This is where I always get confused:
If the OpenBSD pf(4) stateful firewall is acting as an intermediary
forwarding device for a 3-way TCP handshake, shouldn't the re-evaluation
of the initial the initial packet (S/SA) matching a "pass in" rule on an
ingress interface punch a hole "back out of" the original ingress
interface, _as well as_ punch a hole *in* and *out* of the egress
interrace.
Come to think of it, that sounds like pretty agressive for "keep state",
maybe that's my nasty assumption?
~BAS
but if your ruleset explicitly denies outgoing packets on the
interface then in my understanding these will be dropped.
Tim
--
Darksun rising over blood red sea
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan