pf, stateful filter and DMZ
Victor Sudakov
vas at sibptus.ru
Sun Dec 1 14:38:56 UTC 2019
There is still one thing I cannot understand about pf's notion of state.
Consider this very simple example:
===================================
# DMZ 172.16.1.0/24
pass in on $dmz
#block in on $dmz from any to 192.168.0.0/16
# Inside 192.168.10.0/24
pass in on $inside
===================================
While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3.
But when I uncomment the "block ..." line and restart pf, I cannot do
that any more. Why is that?
My idea was that the "pass in on $inside" creates state so that return
traffic from 172.16.1.10:80 to 192.168.10.3:52447 should be permitted, but this
is not happening. Why?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191201/630f8c50/attachment.sig>
More information about the freebsd-net
mailing list