[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)

To: Adrian Buxton <Adrian.Buxton@team.ozemail.com.au>
Subject: Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Fri, 21 Jun 2002 09:39:57 +0200
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Content-Disposition: inline
References: <74AB07E55B7BD411B33200508B605FCF060B6962@mail-is.internal.ozemail.com.au>
User-Agent: Mutt/1.2.5.1i

On Fri, Jun 21, 2002 at 05:30:05PM +1000, Adrian Buxton wrote:

> They create states on both interfaces? Where?? The only rules relating to
> this are 
> 
> pass in quick on $int_if proto tcp from $int_nets to any flags S keep state
> pass in quick on $int_if proto { icmp, udp } from $int_nets to any keep state

But you also have

pass out quick on $ext_if proto tcp from $ext_if to any flags S keep state
pass out quick on $ext_if proto { icmp, udp } from $ext_if to any keep state

So a connection from a local machine to an external machine comes in on
$int_if, creates state there, then goes out through $ext_if (with source
address $ext_if, since you NAT) and creates states again. Two states.

> So, this means I have to keep state on the external interface else the
> return traffic is dropped?

If you have a default block on both interfaces, yes.

Daniel

References:
- Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
  - From: Adrian Buxton <Adrian.Buxton@team.ozemail.com.au>

Prev by Date: Re: XF4 and intel i810 card. (Will be supported by XF4?)
Next by Date: Re: GCC vs. /bsd]
Prev by thread: Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
Next by thread: Re: PF gateway problems.. return traffic blocked (but not if in N AT m ode!)
Index(es):
- Date
- Thread