2009/2/26 patrick keshishian <[email protected]>: > On Wed, Feb 25, 2009 at 8:05 PM, Rod Whitworth <[email protected]> wrote: >> Now there is a difference. In case you missed it - I used "pass out" >> not "pass out on $ext_if" but that make no difference, in fact as I >> pointed out earlier there is no "block out" for anything in the ruleset >> so you can remove the "pass out" line entirely. > > how are the states for your outbound traffic getting created if you > did not have a 'pass out' rule? > > --patrick
pf.conf(5) says: > If no rule matches the packet, the > default action is to pass the packet. Now correct me if I'm wrong, but given that since OpenBSD 4.1 keep state is the default, wouldn't that also mean that state is created for the packets which get passed as per the aforementioned default action? Or does keep state only apply to rules written in pf.conf, and not to the pass-by-default behaviour? kind regards, --ropers
