floating keep state
Gilberto Villani Brito
linux at giboia.org
Wed Feb 27 21:10:42 UTC 2008
I didnt understand this rule:
pass in quick proto tcp to <www_servers> port $www_tcp_ports flags
S/SA keep state
I think is:
pass in quick proto tcp from any to <www_servers> port $www_tcp_ports
flags S/SA keep state
--
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com
On 27/02/2008, Vadym Chepkov <vchepkov at gmail.com> wrote:
> All,
>
> I must be doing something wrong, but I can't figure it out.
> I actually simplify the network structure, to keep it simple
>
> - a client and a web server are on different network segments;
> - all incoming connections to the client are prohibited;
> - client should be allowed to access web server and get a reply;
>
> Here are the rules:
>
> set state-policy floating
> pass in quick proto tcp to <www_servers> port $www_tcp_ports flags
> S/SA keep state
> block in log to <protected_dev_net>
>
> In the pflog I can see that reply packet from www server is blocked on
> server's segment interface. I thought 'set state-policy floating'
> should create a rule interface independent and allow a reply? Am I
> wrong?
>
> Thank you,
>
> Vadym Chepkov
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list