Hello everyone,
I'm trying to replace a crufty pf.conf which has evolved badly, and I
think doesn't fully uses the stateful capabilities of pf. The problem
is that there must be something I don't really understand about
states.
My plan was to write a pf.conf with almost no "out" clauses. A packe
On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:
> With this config, I can't access "dmz hosts" from lan or internet. The
> state gets created:
>
> all tcp $dmz_ip:25 <- 192.168.1.161:19399 CLOSED:SYN_SENT
>
> but the response is blocked:
>
> Jan 16 19:32:59.627083 rule 0/(mat
2007/1/17, Brian Candler <[EMAIL PROTECTED]>:
Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:
pkt1++ pkt1'
---> | ext_if int_if | -->
<--- |
On Wed, Jan 17, 2007 at 02:29:13PM +0100, Samuel Mo?ux wrote:
> every state is a [src, dst, direction] tuple
> which lets pass [src -> dst, direction ] and [dst -> src,
> not(direction)], but not [ src-> dst, not(direction) ] packets.
Very clear - I think that description should go into pf.conf(5)
I just ran into this same problem. Trying to accomplish Cisco ASA style
reflexive stateful rules(r):
- Default block in
- Trust no subnets / interface
- Pass in rules which ingress/egress an interface pair
- Inbound tcp syn on any interface shoud create relfexsive outbound
equivilant on the e
5 matches
Mail list logo
