pf usage
Doug Hardie
bc979 at lafn.org
Wed Feb 26 10:55:20 UTC 2020
I just learned something quite unexpected about pf. Some time ago, the rules had to include "state" to have pf track state. However, later pf was changed to always assume "state" thus reducing the typing of the rules. The description of that change made me believe that the change was in pf. On one of my systems with two NICs and two different internet providers, I was using pftop to track usage. The only states I saw were for just one network. The other one never showed any states, but the packets were delivered properly.
I discovered that pf has to have a rule for each interface. I used "pass all" for the interface that needed no other rules. The change apparently was made to pfctl not pf. So the one interface had no rules, and hence there was nothing to tell pf to track state.
-- Doug
More information about the freebsd-questions
mailing list