On Dec 13, 2006, at 11:19 PM, Daniel Hartmeier wrote:
On Wed, Dec 13, 2006 at 04:10:44PM -0800, Michael K. Smith - Adhost
wrote:
Hummm I'm not sure....the term <established> is (IMHO) used by CISCO
ACL,
and it's mean all IP packet is a response from inside.
Ah, so it's not really stateful filtering (where the firewall keeps
track of which connections have been established), but merely
syntactic
sugar for filtering based on TCP flags (pass non-SYN packets, and only
filter SYNs, assuming that when the SYN is not passed, passing non-
SYNs
is harmless).
If you want to do that (i.e. filter statelessly) with pf, you can, but
then you wouldn't use 'keep state' at all. Look at the 'flags'
option in
pf.conf(5).
Daniel
Hi Daniel:
No, it's not stateful at all. Cisco didn't really intend for it to
be a firewall, particularly when there were lots of firewall products
to sell. :-) I think what he's looking for is the S/SA flag. If I
understand the question, he was trying to allow traffic originating
from "inside" users to return through the firewall. The old Cisco
ACL method would break return traffic if you didn't use the
"established" rule.
Regards,
Mike
