pf's states
Victor Sudakov
vas at sibptus.ru
Mon Dec 2 13:40:49 UTC 2019
Max wrote:
>
> Is this a complete ruleset?
For this lab, yes, almost complete. There is only one more line,
"nat on $outside ...", but strickly speaking, "nat" is not a rule.
> What about "pass out..." rules?
Why would I need them? In pf, it's "pass" by default.
> You should
> check other rules since you have no "quick" in your listed rules.
1. There are no other rules.
2. Even if there were, they should be irrelevant because the
"pass in on $inside" rule should create state, and states are processed
before rules.
> The last matching rule decides what action is taken.
The last matching rule on the $inside interface is
"pass in on $inside".
The last matching rule on the $outside interface is
"block in on $dmz from any to 192.168.0.0/16"
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191202/cde588ef/attachment.sig>
More information about the freebsd-pf
mailing list