packet filter keep state doesn't

Erik Norgaard norgaard at
Fri Oct 23 12:15:43 UTC 2009


I have a setup like this:

             LAN          SRV
    CLIENT ------- FBSD ------- GW/DSL ---- Internet

Now, I'd like my client to connect to the DSL box to manage it, so I 
have create the following rules in my pf.conf:

pass  in log quick on $FBSD_LAN inet proto tcp from CLIENT to GW \
      port 80 flags S/SA keep state
pass  out log quick on $FBSD_SRV inet proto tcp from $FBSD_IP \
      to <Internet> port 80 keep state
block out log quick on $FBSD_SRV any

I added the log keyword for debugging. It turns out that the packet is 
blocked by the last rule, despite the keep state.

Am I doing something wrong or is this how it is supposed to be? I 
thought that I could just concentrate on the filtering the incomping 
packets using keep state, then the out rules would only apply to packets 
originating from the FBSD box.

The curious thing is that since the FBSD box does NAT for connections 
with the Internet, packets destined for the Internet are not affected

Thanks, Erik

Erik Nørgaard
Ph: +34.666334818/+34.915211157        

More information about the freebsd-questions mailing list