On Wed, Mar 19, 2003 at 04:23:00PM -0800, Trevor Talbot wrote:
> On Wednesday, Mar 19, 2003, at 15:19 US/Pacific, Srebrenko Sehic wrote:
>
> >block in all
> >block out all
> >
> >## allow traffic on $ext_if to $webserver on 80/tcp and 443/tcp
> >pass in on $ext_if proto tcp from any to $webserver port {80, 443} \
> > keep state
> >
> >This would not work. Why? We need to pass out on $ext_if as well (since
> >pf(4) filters on both directions).
>
> In this specific case, the "keep state" option will allow traffic back
> out on $ext_if, from $webserver, provided it is related to the original
> tcp port {80, 443} traffic that triggered it. You do not need any other
> "pass out on $ext_if" rules for $webserver for this purpose.
Yeah, it would, _if_ $webserver was on $ext_if/net, but it's not. It's on
$int_if/net.
> Are you unsure what "stateful" behavior is?
No. Are you?
