pf's states
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Mon Dec 2 14:18:15 UTC 2019
On 02.12.19 11:23, Artem Viklenko via freebsd-pf wrote:
> Hi!
>
> Check current state-policy - if-bound or floating.
> If it if-bound, out rules needed. If floating - state should pass
> traffic in reverse direction.
That's not true. Created pf states will always match bidirectional
traffic. State-bound means that finding existing state of incoming
packet is done not by normal TCP/IP quadruple but also incoming
interface is checked.
Floating is useful when you have a router and given TCP session can move
from one uplink to another. Packets will still match connection
established before.
Interface-bound is useful if you have traffic passing twice via the same
router, two ways. For example you run pf on a douter and one host behind
the router wants to talk to another host behind the same router, but
traffic is not routed by this router itself but always sent to another
router. In this case packet incoming from originating host would be
indistinguishable from packed bounced back by upstream router if not for
interface being added to state key.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191202/a04b67bf/attachment.sig>
More information about the freebsd-pf
mailing list