On 20 June 2013 16:53, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2013-06-18, WiesÅaw Herr <hers...@makhleb.net> wrote: > > I suspect you may have an issue where state is not being created where > you expect it. > > It's now recommended (and we've changed the sample pf.conf to match) > to start your ruleset with an explicit "block" (or "block log") rule to > ensure that you don't accidentally allow any traffic to pass without > keeping state. >
In case of a tproxy, which does no-evil and necessary IP spoofing, how will states be treated? My PF is in production, so I can not test now, but I had same issue (packets that bypass nat) with route-to from an interface to another and nat-to in the later. I have disabled states to test, and well... nat-to does not work without it... so I leave everything without states, only nat-to, but the same problem ocurred. By now in our ISP we have made a choice for the felxibility of FreeBSD IPFW, but I really like OpenBSD correctness and the shinny match PF rules, and ALTQ being removed/reconstructed in a new way.