pf, stateful filter and DMZ
Matthew Seaman
matthew at FreeBSD.org
Fri Nov 22 09:42:54 UTC 2019
On 22/11/2019 06:19, Victor Sudakov wrote:
>>> 2. ICMP traffic in any direction
>> Sounds like a bad idea. Why would you do it?
> Well, for example, if a host in $inside_net sends a UDP datagram to a
> host in $dmz_net which generates an ICMP port unreachable message, I
> want the host in $inside_net to actually receive the message. If pf is
> THAT stateful and smart, then this rule is not necessary.
I believe that pf is clever enough to pass ICMP messages associated with
a TCP or UDP connection for which it already has an established state
without needing any specific additional rules.
BICBW.
Cheers,
Matthew
More information about the freebsd-net
mailing list