Hello Ian,
On Tue, May 03, 2022 at 03:08:01PM +0100, Ian Chilton wrote:
> Hi Alexandr,
>
> Thanks for the explainations.
>
> This all makes sense.. except the part of the outgoing packet on gw1,
> destined for gw2 across the linknet.
>
> > there is no state which matches outbound reply at gw1. unless oubtound
> > interface
> > towards gw2 is in admin/external/linknet group, the outbound icmp reply
> > packet
> > will match the block all rule on gw1.
I meant to say TCP/UDP reply packet.
>
> The linknet interface *is* in the linknet group.
>
> So it should match this rule and be allowed? -
> pass out quick on { admin, external, linknet }
>
> ...and in the case of ICMP, even if you ignore the above rule, it should be
> allowed by:
> pass quick proto { icmp, icmp6 }
unless 'keep state (sloppy) is used the rule above won't create
a state for outbound icmp reply, thus outbound ICMP reply will be
discarded.
I'll try to look more closely on TCP/UDP in next few days hopefully.
thanks and
regards
sashan
