On 02.12.19 11:23, Artem Viklenko via freebsd-pf wrote: > Hi! > > Check current state-policy - if-bound or floating. > If it if-bound, out rules needed. If floating - state should pass > traffic in reverse direction.
That's not true. Created pf states will always match bidirectional traffic. State-bound means that finding existing state of incoming packet is done not by normal TCP/IP quadruple but also incoming interface is checked. Floating is useful when you have a router and given TCP session can move from one uplink to another. Packets will still match connection established before. Interface-bound is useful if you have traffic passing twice via the same router, two ways. For example you run pf on a douter and one host behind the router wants to talk to another host behind the same router, but traffic is not routed by this router itself but always sent to another router. In this case packet incoming from originating host would be indistinguishable from packed bounced back by upstream router if not for interface being added to state key. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
signature.asc
Description: OpenPGP digital signature
