keeping state on outgoing connections fails (?)
Guido van Rooij
guido at gvr.org
Wed Sep 3 13:52:05 UTC 2008
On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote:
> > I did test the folowing ruleset:
> > pass in quick on ep0 inet from 184.108.40.206 to 10.0.0.2 keep state
> > block drop out log quick on ep0 all
> > pass out quick on bge0 inet proto tcp from 220.127.116.11 to 10.0.0.2
> > And there it works, but doesn't solve my problem unfrotunately.
> And why doesn't it solve your problem?
> You really are going to have to either keep state on ep0 or allow
> everything that's legal in "pass out on ep0" statements.
> For example:
> block all
> pass in on ep0 inet from 18.104.22.168 to 10.0.0.2
> pass out on ep0 inet from 10.0.0.2 to 22.214.171.124
> pass out on bge0 inet proto tcp from 126.96.36.199 to 10.0.0.2 keep state
And why is that so? This bascially rules out keep state on outgouing packets
on any router-type system. That seems like an unnecessary limitation.
I have not yet heart any reason why this is the case. pf was modelled
after ipf, so I wonder why this change in state handling was introduced.
More information about the freebsd-pf