On Wed, Mar 19, 2003 at 04:23:00PM -0800, Trevor Talbot wrote: > On Wednesday, Mar 19, 2003, at 15:19 US/Pacific, Srebrenko Sehic wrote: > > >block in all > >block out all > > > >## allow traffic on $ext_if to $webserver on 80/tcp and 443/tcp > >pass in on $ext_if proto tcp from any to $webserver port {80, 443} \ > > keep state > > > >This would not work. Why? We need to pass out on $ext_if as well (since > >pf(4) filters on both directions). > > In this specific case, the "keep state" option will allow traffic back > out on $ext_if, from $webserver, provided it is related to the original > tcp port {80, 443} traffic that triggered it. You do not need any other > "pass out on $ext_if" rules for $webserver for this purpose.
Yeah, it would, _if_ $webserver was on $ext_if/net, but it's not. It's on $int_if/net. > Are you unsure what "stateful" behavior is? No. Are you?