Date: Thu, 26 Jan 2006 11:48:24 -0800 From: Kian Mohageri <kian@restek.wwu.edu> To: freebsd-security@freebsd.org Subject: stateful rulesets with PF Message-ID: <43D92788.3030001@restek.wwu.edu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I've read a bit about how keeping state works with PF and written rulesets which look logical to me, but present some problems intermittently. I believe it has to do with the creation of state entries, and how PF judges what to do in any case. > pass in quick on em0 from <trusted> to port any port = 3306 keep state As I understood it, because I did not specify any flags such as S/SA, pf will be able to pass packets starting mid-session (how or if it does this is where I'm unclear). I'm also unclear about how it will ever judge whether or not to drop packets from <trusted> to port 3306. Generally this rule (or a similar one) would work fine, however I run into problems occasionally in which a client is unable to bypass the firewall to connect to 3306 (mysql) on this server. I notice it mostly with PHP scripts which constantly query the database server. My initial thought was to check the number of entries in the state table which I figured might have been full, but it was nowhere near full. Are there times when stateful rules cause problems like this? It seems like "flags S/SA keep state" should work just fine, which it *usually* does...but thought I'd ask the experts anyway since I'm seeing problems. Thanks, Kian -- Kian Mohageri ResTek, Western Washington University kian@restek.wwu.edu [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2SeMfLazdIP7nIMRAjGpAJ9v7ZYBGLqOjVJEoEbjeBXS9eDlDwCeLrek jzpOFTZvOElhz9qu5K5uuGk= =+A8i -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43D92788.3030001>