On Fri, Nov 04, 2005 at 07:22:33PM +1100, Cameron Simpson wrote: > I was imagining the keep state stuff handled that. So - for my mental > model - a packet being forwarded traverses the rules twice: once on the > way in and once on the way out?
Yes. > Well I'd reduced my test to pinging the firewall itself. An earlier > tcpdump was showing pings coming in and no replies. Would that imply pings > arriving and being dropped, and thus no replies attempted by the OS? Maybe. The replies could also be happening, but be dropped by pf. You can look at 'netstat -sp icmp' to see if they're getting beyond pf and what the kernel is doing with them. bpf (and thus tcpdump) happens before pf incoming, and after pf outgoing: wire -> interface -> bpf -> pf -> routing -> pf -> bpf -> interface -> wire
