outgoing LAN traffic always in "keep state"
Kian Mohageri
kian.mohageri at gmail.com
Mon Jun 19 05:33:18 UTC 2006
Post your ruleset and people can help you. You're probably using
nat/rdr/binat which create states.
-Kian
On 6/18/06, Ronnel P. Maglasang <rmaglasang at infoweapons.com> wrote:
>
> I have a minimum PF setup that sits in between my internal network(lan)
> and external network(wan). PF by design, bypasses ruleset evaluation(on
> external interfaces) for incoming packets on external interface that
> corresponds
> to an entry in the state table or a response to an internal generated
> packet.
> I observe this for TCP, UDP and also ICMP packets. Even if the matching
> rule
> in the internal interface do not have a "keep state", still the response
> packet
> bypasses the ruleset evaluation. Is there a way (force) to allow response
> packets to go thru ruleset evaluation? I just want to have full control of
> the incoming packets on the external interface wether they are response to
> a LAN traffic or not. I'll be implementing queueing soon and I think this
> PF behavior will affect badly. Has anyone experienced this?
>
> Thanks a lot.
> - sho
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list