On Sat, Apr 30, 2011 at 10:52:21AM -0700, Emille Blanc wrote:
> On 11-04-29 12:08 AM, pavel pocheptsov wrote:
> >pass in on $int_if inet proto udp from any to $int_if port tftp
> You do have a pass out rule in pf, right?
> I'm assuming you have a default block in place somewhere, and since
> TFTP uses UDP, pf won't create a state so you'll need an explicit
> pass out.
Wrong. UDP does use states, see pf.conf(4):
pf(4) will also create state for other protocols which are effectively
stateless by nature. UDP packets are matched to states using only
host addresses and ports, and other protocols are matched to states
using only the host addresses.
-Otto
