[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: rdr states not if-bound?
From:       Nino Dehne <ndehne () gmail ! com>
Date:       2005-06-27 10:56:06
Message-ID: 20050627105606.GI14460 () charon ! lan ! 0x54434D ! net
[Download RAW message or body]

On Mon, Jun 27, 2005 at 12:39:20PM +0200, Cedric Berger wrote:
> >Repeated setup:
> >
> >             / vlan1 \                    / vlan2 - lan1
> >wan - router -         - fxp0 bridge fxp1 -
> >             \ vlan3 /                    \ vlan4 - lan2
> >
> >I have a "pass quick on { vlan1, vlan3, vlan4 } all" and a relevant
> > 
> >
> What happends if you add "keep state" to the above rule?

Same result as with the more specific rule in the first example in the
previous mail, obviously.

However, I still don't quite understand _why_ states are created this way,
i.e. a pass rule with keep state rendering a rdr state if-bound.

Ideally, I'd not include vlan{1,3,4} in the ruleset at all except for that
single rdr rule. Having to explicitly pass certain traffic just to
influence state creation feels like a kludge to me, since I have to specify
a "policy" of "fudge this port to the proxy" essentially twice. A generic
pass all keep state on all interfaces !vlan2 feels likewise wrong, since I'd
be loading the state table with states that shouldn't be necessary.

Another example would be a default-open bridge which _only_ does transparent
proxying for several ports and a dozen more vlans. There, I'd only have rdr
rules and no filter rules at all and it wouldn't work.

Am I completely off-track with my logic?

Regards,

ND
[prev in list] [next in list] [prev in thread] [next in thread]