[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on pf filtering

> >So does the "keep state" actually refers to the whole firewall rather than
> >just the interface it was assigned to??  coz otherwise the first 'syn'
> >packet of a DNS connection going out from fxp0 wouldn't be accepted.
> >
> >The reason I was initially thinking that "keep state" just pertains to a
> >particular interface was because of these two rules in the same example :
> >    # filter rules for fxp0 outbound
> >    pass out on fxp0 from $int_nets to any keep state
> >    # filter rules for dc0 inbound
> >    pass in on dc0 from $int_nets to any keep state
I just found the answer to my question on one of pf man pages where it
 "A state created on ppp0 would match packets an all PPP interfaces, but
     not packets flowing through fxp0 or any other interface"
This was the reason a same rule wasn't mentioned on both fxp0 and
fxp1. But a rule has be mentioned twice on both interfaces if it is
passing through interfaces like dc0 and fxp0.
thanks for all those who answered.