From owner-freebsd-pf@FreeBSD.ORG Wed May 14 23:40:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6F0F106564A for ; Wed, 14 May 2008 23:40:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.224]) by mx1.freebsd.org (Postfix) with ESMTP id B01788FC12 for ; Wed, 14 May 2008 23:40:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so188900rvf.43 for ; Wed, 14 May 2008 16:40:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WiPIi4JJbTOGnRZpcg4haVJ5vTA+k+gN1GmyTxxptqE=; b=inE649vl+St9jj6XV+zVDn/ztUIbMymsNViv5J8Xckyw1y/TcTf7epYsil+AbzEtqeA/ev3wYoBJB8cxxfewAodY1FbgKj85dEee8PW1kBf7OgbTjQlR+9ynGSE2bSCgD9F/S71gjKaC39szAV3eI2D0h5seIozwQpDnlfw23Dw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sETvluUYQ72RHnuIiFbCw2f/kWS7KbEC1U0ZvsyS/GLaeaBKxdUXogqp2sCdalHH6MAqp6RIxbs+KE8HEme+JK7s5Owy2zFfdPwGBbaAlEB++uSWpvmit2cFYQSMnVThIoQOa3acce5Bh4O056oHXbw6zprxDUTpuk+tZIoesks= Received: by 10.142.131.18 with SMTP id e18mr656965wfd.207.1210806831695; Wed, 14 May 2008 16:13:51 -0700 (PDT) Received: by 10.143.195.9 with HTTP; Wed, 14 May 2008 16:13:51 -0700 (PDT) Message-ID: Date: Wed, 14 May 2008 16:13:51 -0700 From: "Kian Mohageri" To: "Mark Pagulayan" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 23:40:57 -0000 On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan wrote: > Hi Guys, > > > > OS: FreeBSD 7.0-RELEASE > > > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? > > It does... actually 'flags S/SA keep state'. > > The problem is that when it comes to this rule: > > > > pass in quick on $int_if > > > > after loading to pf > > > > pass in quick on em0 flags S/SA keep state > > > > The way I see this is that this rule would be applied to udp traffic as > well which will be dropped/blocked because flags only work for tcp and > this might be the cause of state-mismatches that I see in the table - > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep state' part will be applied to UDP, since no flags are involved. > state-mismatch 11577272 48.7/s > Could be caused by reloading your ruleset to include 'keep state' mid-connections, I think. PF won't be aware of where the state is (especially true if you're using TCP window scaling), so it will fail after a while and you'll see state mismatches. > > > > > How can we prevent pf from loading the flags S/SA in the rules > automatically? > Use 'no state' after the rule if it's necessary. But keep in mind stateful tracking is faster. E.g.: pass in on $ext_if no state > > > Also what is the effect of this on the block rule? > > > > 'block in log on $ext_if all' > > 'block return out log on $ext_if all' > > Not sure what you mean, but read pf.conf(5) man page. -Kian