On Thu, Apr 26, 2018 at 2:40 PM, Daniel Melameth <dan...@melameth.com> wrote: > The man page defines this as "States can match packets on any > interfaces." I understood this to mean that state created on one > interface would automatically create state, or allow a related match, > on another interface, but this is not the case. Simple example: > > Host A > 10.0.0.2 > > Firewall > 10.0.0.1 (hvn0) > 10.0.1.1 > > Host B > 10.0.1.2 > > /etc/pf.conf from the firewall: > block log > pass in on hvn0 > > > With the above, traffic cannot pass from A to B. With pf disabled on > the firewall, traffic passes.
"floating" does not mean that "pass in" rules also count as "pass out" rules. Instead it means that a "pass in" rule for hvn0 will allow subsequent packets for that connection to be "passed in" even if they arrive on a different interface. I think this example might make it clearer what "floating" does: Firewall 10.0.0.1 (hvn0) 10.0.0.11 (hvn1) 10.0.1.1 (hvn2) /etc/pf.conf block log pass in on hvn0 pass in on hvn1 pass out on hvn2 With the above, when the first packet of a connection comes in on either hvn0 or hvn1, state will be created. If future packets switch to coming in the other interface, they will be treated as part of the already-established connection. The pass out rule is still needed to ensure that traffic that is allowed in, is also then allowed back out again. -ken
