I must be doing something wrong, but I can't figure it out.
I actually simplify the network structure, to keep it simple
- a client and a web server are on different network segments;
- all incoming connections to the client are prohibited;
- client should be allowed to access web server and get a reply;
Here are the rules:
set state-policy floating
pass in quick proto tcp to <www_servers> port $www_tcp_ports flags
S/SA keep state
block in log to <protected_dev_net>
In the pflog I can see that reply packet from www server is blocked on
server's segment interface. I thought 'set state-policy floating'
should create a rule interface independent and allow a reply? Am I