[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on pf filtering

** Reply to message from Srikanth Sagiraju
<[email protected]> on Mon, 1 Nov 2004 19:37:30 -0500 (EST)
>I was looking at some of the sample pf rules given at:
>http://www.openbsd.org/faq/pf/queueing.html .
>On the same page in the second example (Ex2: Company network) there is
>a rule that accepts DNS(port 53) requests from 'wwwserv' to any on 'fxp1
>inbound' as below:
># filter rules for fxp1 inbound
>pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
>	keep state
>But 'fxp0' does NOT allow any new 'outbound' connections except from the
>'int_net'. Would that mean that DNS packets are not allowed outside the
>firewall and the above rule was written in vein?? I am missing
>something here..
Note the 'keep state' at the end of that rule.  This tells pf (roughly
speaking) to allow further communication in both directions until the
tcp connection is terminated.  (For udp, it allows 'related' datagrams
in both directions -- I'm not sure exactly what the definition of
'related' is, but it allows udp-based protocols to work.)
Dave Anderson
<[email protected]>