On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote: > Thanks for the information. This is the first time that I've used PF as a > router based firewall and not with NAT. I didn't know that the state was on > a per interface basis, and not global to the system. So this means that > unless I want to allow all outbound traffic from my firewall, I need to > have a matching pass out rule for all the pass in rules for which I want to > restrict the inbound interface (ie for which I don't want to put just pass > for)?
No, states are by default global and not tied to an interface. See man pf.conf. -Otto > > The reason I need quick, especially on a few of these rules, is that the > firewall will be establishing 3 to 6 thousand new sessions per second and > managing betwee 300 000-500 000 state entries. This means that if it's one > state entry per interface, this effectively doubles the state table size. > > Thanks for the other tips by other people for lists and the implicit keep > state, I hadn't even realized I had omitted important lists and didn't know > about the implicit keep state. > > Jon Radel wrote: >> You appear making use of the default pass rule for all your outbound >> traffic, as I didn't notice a single rule that applied to outbound >> traffic (other than your block port 0, CARP, PFSync, and ping rules). I >> don't believe that can be counted on to establish state. >> >> So a packet arrives on an interface, is allowed in with a "pass in quick >> on XX" and state is established. The packet is then routed out YY, >> which is allowed since there is no rule to block it. There is, however, >> no state established on interface YY, so the return packet is dropped >> unless you have a rule explicitly allowing that packet in. >> >> Try dropping a >> >> pass out all >> >> into the rule set to see if things get better. (As a test, think about >> the implications before you put that into production.) >> >> --Jon Radel