[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange ? keep state behaviour

On Thursday, Jan 6, 2005, at 16:21 US/Pacific, Jason Murray wrote:

If I understand things properly when the packet comes in on $ext_if it creates the state. Because the state is floating it should be picked up when the packet tries to go out on $uat_if. Since it is in the state table it should pass no problem.

Though the state is floating with respect to interfaces, the _direction_ is still locked. It sees that out.side.add.ress sent a packet IN to in.side.web.server, and so will only match future packets with that address pair if they are also coming IN. (And packets OUT for the reverse address pair, of course.) The "floating" part just means it doesn't care what interface that happens on.

This particular point seems to have gotten lost in the documentation since the if- and group-bound options were introduced.