[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf default deny problem



On Thu, Feb 27, 2003 at 11:07:10AM +1100, Kremlyn Vostok wrote:
> I have done exactly as you suggested, and it does not work.  pf.conf 
> indicates that rdr rules imply keeping state through drop rules.. which 
> is why I did not have an allow outbound keep state rule.  I've also 
> tried with such a rule with no luck.
No, packets translated by nat/rdr/binat will not automatically pass and
create state. The packet is first translated, then the filter rules are
evaluated. If they pass the packet, a state is automatically created. If
they block it, it's blocked and no state is created. The wording
'implicitely create state' might need some rework, the point it's trying
to make is that the pass rule will create state for translated packets
even if it doesn't have the 'keep state' option. But you still need that
pass rule. And it needs to match the packet _after_ translation.
Daniel