[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on pf filtering



> >So does the "keep state" actually refers to the whole firewall rather than
> >just the interface it was assigned to??  coz otherwise the first 'syn'
> >packet of a DNS connection going out from fxp0 wouldn't be accepted.
> >
> >The reason I was initially thinking that "keep state" just pertains to a
> >particular interface was because of these two rules in the same example :
> >    # filter rules for fxp0 outbound
> >    pass out on fxp0 from $int_nets to any keep state
> >    # filter rules for dc0 inbound
> >    pass in on dc0 from $int_nets to any keep state
>
I just found the answer to my question on one of pf man pages where it
says:
 "A state created on ppp0 would match packets an all PPP interfaces, but
     not packets flowing through fxp0 or any other interface"
src:
"http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apropos=0&manpath=OpenBSD+Current";
This was the reason a same rule wasn't mentioned on both fxp0 and
fxp1. But a rule has be mentioned twice on both interfaces if it is
passing through interfaces like dc0 and fxp0.
thanks for all those who answered.
-srikanth