Thanks for the information. This is the first time that I've used PF as
a router based firewall and not with NAT. I didn't know that the state
was on a per interface basis, and not global to the system. So this
means that unless I want to allow all outbound traffic from my firewall,
I need to have a matching pass out rule for all the pass in rules for
which I want to restrict the inbound interface (ie for which I don't
want to put just pass for)?
The reason I need quick, especially on a few of these rules, is that the
firewall will be establishing 3 to 6 thousand new sessions per second
and managing betwee 300 000-500 000 state entries. This means that if
it's one state entry per interface, this effectively doubles the state
table size.
Thanks for the other tips by other people for lists and the implicit
keep state, I hadn't even realized I had omitted important lists and
didn't know about the implicit keep state.
Jon Radel wrote:
You appear making use of the default pass rule for all your outbound
traffic, as I didn't notice a single rule that applied to outbound
traffic (other than your block port 0, CARP, PFSync, and ping rules). I
don't believe that can be counted on to establish state.
So a packet arrives on an interface, is allowed in with a "pass in quick
on XX" and state is established. The packet is then routed out YY,
which is allowed since there is no rule to block it. There is, however,
no state established on interface YY, so the return packet is dropped
unless you have a rule explicitly allowing that packet in.
Try dropping a
pass out all
into the rule set to see if things get better. (As a test, think about
the implications before you put that into production.)
--Jon Radel
