Timo Buhrmester
2016-12-26 18:56:25 UTC
Hi,
suppose you have a router with two interfaces:
- vr0, behind which is 192.168.0.0/24, and
- vr1, behind which is 192.168.1.0/24
and a (testcase) ipf.conf like this:
block in quick on vr0 all
block out quick on vr0 all
pass in quick on vr1 family inet proto udp from any to any keep state
I noticed that UDP datagrams ingressing on vr1 do get routed out on vr0,
the 'block out on vr0 all' rule notwithstanding.
I assume that is because I keep state on the packets when they arrive
on vr1.
Is this a bug, or is it working as designed? For some reason, I
assumed there to be per-interface state tables and hence consideration
of the vr0 rules (i.e. I assumed a 'keep state' on a vr1 rule would only
skip looking at the vr1 rules for future matching packets)
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
suppose you have a router with two interfaces:
- vr0, behind which is 192.168.0.0/24, and
- vr1, behind which is 192.168.1.0/24
and a (testcase) ipf.conf like this:
block in quick on vr0 all
block out quick on vr0 all
pass in quick on vr1 family inet proto udp from any to any keep state
I noticed that UDP datagrams ingressing on vr1 do get routed out on vr0,
the 'block out on vr0 all' rule notwithstanding.
I assume that is because I keep state on the packets when they arrive
on vr1.
Is this a bug, or is it working as designed? For some reason, I
assumed there to be per-interface state tables and hence consideration
of the vr0 rules (i.e. I assumed a 'keep state' on a vr1 rule would only
skip looking at the vr1 rules for future matching packets)
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de