Le 13/12/2006 18:31:10+0100, Daniel Hartmeier a ?crit > On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote: > > > It's a problem with FreeBSD or it's with pf ? > > With neither, you're assuming a state entry has the same effect in pf as > in ipfw, which is not the case. > > > For example I've put this kind of rule > > > > pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state > > > > When I try to connect from IP-A to IP-B using ssh the connection don't > > work. And I've got > > > > self tcp IP-B:22 <- IP-A:56906 CLOSED:SYN_SENT > > self tcp IP-B:22 <- IP-A:59496 CLOSED:SYN_SENT > > > > in my pfctl -s state > > > > and got deny for outgoing packet from IP-B to IP-A > > That is expected with pf. A state entry created for an incoming packet > on one interface does not allow the same packet to go out through > another interface, it merely allows further packets through the same > interface and _replies_ back out through the same interface.
Thanks for all. Everything work fine now. Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 i?me ?tage, plateau D, bureau 10 Heure local/Local time: Fri Dec 15 22:00:53 CET 2006
