[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tagging & keep state
Ed White wrote:
I've played with tagging and I've found something that's not clear to me.
block in on dc0 tag LAN
pass in inet proto tcp to port 80 keep state
If I send a SYN to port 80 passing across the dc0 interface the packet will be
tagged LAN and then it will create a state with the second and last-matching
However I'd like to know if every packet that belongs to that connection
(matches the state) will be marked with LAN tag.
the rest of the packets in that connection will be passed because they
match the state table entry, they will not be run through the firewall
rules again as the first packet passed and created the state for the
rest of the connection.
To answer your question: I don't think they are tagged as well, but even
if they were, you could not really make use of the tag, as the packets
are not passed through the ruleset.