[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tagging & keep state



Ed White wrote:
I've played with tagging and I've found something that's not clear to me.

block in on dc0 tag LAN
pass in inet proto tcp to port 80 keep state


If I send a SYN to port 80 passing across the dc0 interface the packet will be tagged LAN and then it will create a state with the second and last-matching rule.


However I'd like to know if every packet that belongs to that connection (matches the state) will be marked with LAN tag.

the rest of the packets in that connection will be passed because they match the state table entry, they will not be run through the firewall rules again as the first packet passed and created the state for the rest of the connection.


To answer your question: I don't think they are tagged as well, but even if they were, you could not really make use of the tag, as the packets are not passed through the ruleset.

kind regards,

Matthijs Bomhoff