I just ran into this same problem. Trying to accomplish Cisco ASA style
reflexive stateful rules(r):
- Default block in
- Trust no subnets / interface
- Pass in rules which ingress/egress an interface pair
- Inbound tcp syn on any interface shoud create relfexsive outbound
equivilant on the
On Wed, Jan 17, 2007 at 02:29:13PM +0100, Samuel Mo?ux wrote:
every state is a [src, dst, direction] tuple
which lets pass [src - dst, direction ] and [dst - src,
not(direction)], but not [ src- dst, not(direction) ] packets.
Very clear - I think that description should go into pf.conf(5)
On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:
With this config, I can't access dmz hosts from lan or internet. The
state gets created:
all tcp $dmz_ip:25 - 192.168.1.161:19399 CLOSED:SYN_SENT
but the response is blocked:
Jan 16 19:32:59.627083 rule 0/(match) block
2007/1/17, Brian Candler [EMAIL PROTECTED]:
Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:
pkt1++ pkt1'
--- | ext_if int_if | --
--- |
4 matches
Mail list logo
