Date: Thu, 26 Jan 2006 11:48:24 -0800 From: Kian Mohageri <kian@restek.wwu.edu> To: freebsd-security@freebsd.org Subject: stateful rulesets with PF Message-ID: <43D92788.3030001@restek.wwu.edu>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4D612F5ABF45CE419C654C18 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I've read a bit about how keeping state works with PF and written rulesets which look logical to me, but present some problems intermittently. I believe it has to do with the creation of state entries, and how PF judges what to do in any case. > pass in quick on em0 from <trusted> to port any port = 3306 keep state As I understood it, because I did not specify any flags such as S/SA, pf will be able to pass packets starting mid-session (how or if it does this is where I'm unclear). I'm also unclear about how it will ever judge whether or not to drop packets from <trusted> to port 3306. Generally this rule (or a similar one) would work fine, however I run into problems occasionally in which a client is unable to bypass the firewall to connect to 3306 (mysql) on this server. I notice it mostly with PHP scripts which constantly query the database server. My initial thought was to check the number of entries in the state table which I figured might have been full, but it was nowhere near full. Are there times when stateful rules cause problems like this? It seems like "flags S/SA keep state" should work just fine, which it *usually* does...but thought I'd ask the experts anyway since I'm seeing problems. Thanks, Kian -- Kian Mohageri ResTek, Western Washington University kian@restek.wwu.edu --------------enig4D612F5ABF45CE419C654C18 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2SeMfLazdIP7nIMRAjGpAJ9v7ZYBGLqOjVJEoEbjeBXS9eDlDwCeLrek jzpOFTZvOElhz9qu5K5uuGk= =+A8i -----END PGP SIGNATURE----- --------------enig4D612F5ABF45CE419C654C18--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43D92788.3030001>