question on pf filtering

Srikanth Sagiraju
Tue, 2 Nov 2004 11:44:30 -0500 (EST)
>So does the "keep state" actually refers to the whole firewall rather than
>just the interface it was assigned to??  coz otherwise the first 'syn'
>packet of a DNS connection going out from fxp0 wouldn't be accepted.
>The reason I was initially thinking that "keep state" just pertains to a
>particular interface was because of these two rules in the same example :
>    # filter rules for fxp0 outbound
>    pass out on fxp0 from $int_nets to any keep state
>    # filter rules for dc0 inbound
>    pass in on dc0 from $int_nets to any keep state
I'm no expert on pf, just someone who's managed to put together a
firewall configuration that seems to work.  There's an option which
controls whether state is confined to a single interface or is shared
among all interfaces; I've chosen to restrict it to individual
interfaces, so I haven't carefully investigated how the shared version
would work.
Dave Anderson
<[email protected]>