Given appropriate definitions for $eth and $lan, you'd expect the
following rule to simply pass all traffic originating from and destined
for the LAN:
pass on $eth from $lan to $lan
However, in pf, "keep state" is *implicit* (why?), so you'd expect it to
turn into something like this:
pass on $eth from $lan to $lan keep state
but what you actually get is this:
pass on $eth from $lan to $lan flags S/SA keep state
which only matches TCP handshakes, so your UDP streams are screwed.
Workaround: explicitly specify TCP and UDP, causing pf to split the rule
into two:
pass on $eth inet proto { tcp, udp } from $lan to $lan
becomes
pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
pass on $eth inet proto udp from $lan to $lan keep state
There does not seem to be any way to turn off this misguided rewriting
of firewall rules.
DES
--
Dag-Erling Smørgrav - [EMAIL PROTECTED]
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
