Patrick Welche <prlw1%cam.ac.uk@localhost> writes:
> Maybe this use-case is "don't do that". Essentially: take an "internal"
> computer, with its default gateway. Add another network card. Connect
> it directly to "outside", and say run a webserver on it. If you run
> ipf saying block everything on the external card except to port http
> keep state, anyone can successfully connect to your webserver, but
> not to your sshd. If you try the same with npf, the reply from the
> server will be routed via the default gateway, and the 3rd packet,
> i.e., the second from the web client, will be blocked as not matching
> the connection state. (I was confused for ages in PR 53199)
> ("outside" has its own gateway.)
Asymmetric routing and firewalls is tricky business, and requires
cooperating firewalls to synchronize state.
So if you want to send replies via not the default gateway, then you
need explicit support for routing them contrary to routing. I suspect
npf can do this, but that it needs to be explicitly configured.
It is a surprising default for keep state to affect routing.
Attachment:
signature.asc
Description: PGP signature