Understanding the keep state?
Fire walls
fayerwall at gmail.com
Wed Jun 24 04:31:28 UTC 2009
On Tue, Jun 23, 2009 at 6:28 PM, Eric Williams <purpleshadow100 at gmail.com>wrote:
> On 6/23/2009 7:58 PM, Fire walls wrote:
> >
> > Working this way, where is the best way to put the "keep state"
> statement,
> > in the "LAN Rules" or in the "Firewall Rules" or in both parts?
> >
> > Thanks all for your help, if Im doing this the wrong way please let me
> > know, I want to get a deep understanding of pf.
>
> Excluding certain rare cases, generally you want to keep state on all
> rules. Because of this more recent pf versions keep state by default. If
> you have a particular reason you don't want state kept, you need to use
> the "no state" statement, however, take note that if you're using NAT,
> you need state for proper routing of responses.
>
>
Thanks for your quick answer.
Them in make case is better to have:
*LAN Rule
pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA
keep state
*Firewall Rule
pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep
state
Like u say, the current version add the "keep state" by default, is the
same thing I'm doing here, there will not be any problem?
Thanks for your help!!!
--
:-)
More information about the freebsd-pf
mailing list