floating keep state
vchepkov at gmail.com
Wed Feb 27 21:46:50 UTC 2008
You can omit 'from any' or 'to any' as redundant if pf.conf.
# pfctl -sr|grep www_servers
pass in quick proto tcp from any to <www_servers> port = http flags
S/SA keep state
pass in quick proto tcp from any to <www_servers> port = https flags
S/SA keep state
On Wed, Feb 27, 2008 at 4:10 PM, Gilberto Villani Brito
<linux at giboia.org> wrote:
> I didnt understand this rule:
> pass in quick proto tcp to <www_servers> port $www_tcp_ports flags
> S/SA keep state
> I think is:
> pass in quick proto tcp from any to <www_servers> port $www_tcp_ports
> flags S/SA keep state
> Gilberto Villani Brito
> System Administrator
> Londrina - PR
> On 27/02/2008, Vadym Chepkov <vchepkov at gmail.com> wrote:
> > All,
> > I must be doing something wrong, but I can't figure it out.
> > I actually simplify the network structure, to keep it simple
> > - a client and a web server are on different network segments;
> > - all incoming connections to the client are prohibited;
> > - client should be allowed to access web server and get a reply;
> > Here are the rules:
> > set state-policy floating
> > pass in quick proto tcp to <www_servers> port $www_tcp_ports flags
> > S/SA keep state
> > block in log to <protected_dev_net>
> > In the pflog I can see that reply packet from www server is blocked on
> > server's segment interface. I thought 'set state-policy floating'
> > should create a rule interface independent and allow a reply? Am I
> > wrong?
> > Thank you,
> > Vadym Chepkov
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> freebsd-pf at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf