Packet Path Through PF (onec for each interface?)
Kian Mohageri
kian.mohageri at gmail.com
Thu May 17 00:06:59 UTC 2007
On 5/16/07, Tom Judge <tom at tomjudge.com> wrote:
> em0 and bge0
> em2 and bce0
> em3 and bce1
>
> Do all the interface names have to match on the HA pair?
Yes they do - but that is only if you use an if-bound state-policy,
which isn't default.
Keep in mind also that states also have a direction associated with
them. Take this for example from my firewalls:
# pfctl -ss | grep 66.165.31.204
all tcp 66.165.31.204:22 <- 71.227.220.29:1854 ESTABLISHED:ESTABLISHED
all tcp 71.227.220.29:1854 -> 66.165.31.204:22 ESTABLISHED:ESTABLISHED
You should read Daniel Hartmeier's (PF developer) 3-part article on
Undeadly. Maybe it will clear things up for you.
http://www.undeadly.org/cgi?action=article&sid=20060927091645
Kian
More information about the freebsd-pf
mailing list