On Thu, Feb 26, 2009 at 06:47:23AM +0100, ropers wrote: > 2009/2/26 patrick keshishian <[email protected]>: > > On Wed, Feb 25, 2009 at 8:05 PM, Rod Whitworth <[email protected]> wrote: > >> Now there is a difference. In case you missed it - I used "pass out" > >> not "pass out on $ext_if" but that make no difference, in fact as I > >> pointed out earlier there is no "block out" for anything in the ruleset > >> so you can remove the "pass out" line entirely. > > > > how are the states for your outbound traffic getting created if you > > did not have a 'pass out' rule? > > pf.conf(5) says: > > > If no rule matches the packet, the > > default action is to pass the packet. > > Now correct me if I'm wrong, but given that since OpenBSD 4.1 keep > state is the default, wouldn't that also mean that state is created > for the packets which get passed as per the aforementioned default > action? > > Or does keep state only apply to rules written in pf.conf, and not to > the pass-by-default behaviour?
Based on my own tests, it appears that stateful tracking only applies when an actual filter rule matches. This would certainly be the sane design choice. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
