floating keep state
Vadym Chepkov
vchepkov at gmail.com
Thu Feb 28 04:02:09 UTC 2008
I created a lab configuration with the minimum settings
dns server has ip 10.10.10.1
client has ip 10.10.11.254
between them is 6.3-RELEASE-p1 with 10.10.10.6 and 10.10.11.1 interfaces
here is /etc/pf.conf
set block-policy return
set state-policy floating
pass in log quick proto udp from any to 10.10.10.1 port domain keep state
block in log from any to 10.10.11.254
Now I make nslookup on the client, here is the output of tcpdump -n -l
-e -i pflog0
22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
10.10.10.1.53: 45616+[|domain]
22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
10.10.11.254.32772: 45616*-[|domain]
State is
#pfctl -ss
self udp 10.10.10.1:53 <- 10.10.11.254:32772 NO_TRAFFIC:SINGLE
My question is, why the reply packet was blocked?
More information about the freebsd-pf
mailing list