[pf4freebsd] Re: pfaltq-5.1.0.4 problem using fingerprinting
Daniel Hartmeier
daniel at benzedrine.cx
Wed Sep 15 20:50:22 PDT 2004
On Tue, Sep 02, 2003 at 04:11:24PM +0100, Bruno Afonso wrote:
> Although, I'm acessing through a "local" network, i'm always acessing
> the external interface (public ip), so that's not the issue :-)
Your assumption that connecting to the external address causes pf to
filter on $ext_if is wrong.
If you connect from the local network (to the external address), the
packet will only pass through the internal interface. If pf lets it pass
there, the stack of the pf box will detect that the destination is one
of its own addresses, and pass it up to the listening socket.
The packet never passes the external interface, and pf never gets to
filter it on the external interface. Whether you use the internal or
external address as destination just doesn't matter.
This is a common misconception, I don't know where it comes from.
Daniel
More information about the freebsd-pf
mailing list