On 2008-05-08, Otto Moerbeek <[EMAIL PROTECTED]> wrote: > On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote: > >> Thanks for the information. This is the first time that I've used PF as a >> router based firewall and not with NAT. I didn't know that the state was on >> a per interface basis, and not global to the system. So this means that >> unless I want to allow all outbound traffic from my firewall, I need to >> have a matching pass out rule for all the pass in rules for which I want to >> restrict the inbound interface (ie for which I don't want to put just pass >> for)? > > No, states are by default global and not tied to an interface. See man > pf.conf.
But they are sensitive to direction; if you keep state for a new incoming session on an interface, you: 1. *do* pass _return_ traffic associated with that connection, 2. *do not* pass the incoming traffic that created the state (or any following incoming traffic from the same connection) out of another interface to send to another machine For 2. you can either pass the outbound traffic separately, or you can tag the inbound traffic and pass outbound traffic that has been tagged. ... >> The reason I need quick, especially on a few of these rules, is that the >> firewall will be establishing 3 to 6 thousand new sessions per second You should read this set of articles: http://undeadly.org/cgi?action=article&sid=20060927091645
