[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Strange ? keep state behaviour
On Thursday, Jan 6, 2005, at 16:21 US/Pacific, Jason Murray wrote:
If I understand things properly when the packet comes in on $ext_if it
creates the state. Because the state is floating it should be picked
up when the packet tries to go out on $uat_if. Since it is in the
state table it should pass no problem.
Though the state is floating with respect to interfaces, the
_direction_ is still locked. It sees that out.side.add.ress sent a
packet IN to in.side.web.server, and so will only match future packets
with that address pair if they are also coming IN. (And packets OUT
for the reverse address pair, of course.) The "floating" part just
means it doesn't care what interface that happens on.
This particular point seems to have gotten lost in the documentation
since the if- and group-bound options were introduced.