From owner-freebsd-pf@FreeBSD.ORG  Thu Apr  3 04:20:26 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 56D2D106564A
	for <freebsd-pf@freebsd.org>; Thu,  3 Apr 2008 04:20:26 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3])
	by mx1.freebsd.org (Postfix) with ESMTP id 46B268FC12
	for <freebsd-pf@freebsd.org>; Thu,  3 Apr 2008 04:20:26 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: by mx01.sc1.parodius.com (Postfix, from userid 1000)
	id 2B4461CC038; Wed,  2 Apr 2008 21:20:26 -0700 (PDT)
Date: Wed, 2 Apr 2008 21:20:26 -0700
From: Jeremy Chadwick <koitsu@freebsd.org>
To: Kian Mohageri <kian.mohageri@gmail.com>
Message-ID: <20080403042026.GA88726@eos.sc1.parodius.com>
References: <684548.87924.qm@web57414.mail.re1.yahoo.com>
	<C65291A68BAF57499B18564A1EE4A7612ECBF8@UXCHANGE1.UoA.auckland.ac.nz>
	<fee88ee40804022117w6d13d002t2d4d75969517c285@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <fee88ee40804022117w6d13d002t2d4d75969517c285@mail.gmail.com>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: Diego Salvador <salvador_d13@yahoo.com.ph>, fox@verio.net,
	freebsd-pf@freebsd.org
Subject: Re: PF and State Table
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2008 04:20:26 -0000

On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote:
> On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
> <m.pagulayan@auckland.ac.nz> wrote:
> > Hi,
> >
> >  What pf version are you using? Correct me if I am wrong guys, on PF4.1
> >  which a the release version of pf on freebsd 7.0 when you specify keep
> >  state the flag S/A is implied?
> >
> 
> Correct, and if you leave out 'keep state' entirely, it will apply
> 'flags S/SA keep state'
> 
> e.g.,
> 
> kian@alvis:~
> > cat pf.conf
> pass on em0
> 
> kian@alvis:~
> > pfctl -vnf pf.conf
> pass on em0 all flags S/SA keep state

I'd like to know what exactly happens to UDP and ICMP packets when
hitting that rule, since UDP and ICMP don't have such flags.  The
documentation doesn't really discuss what happens in this case.

This is why I solicit having 3 separate rules for each protocol (TCP =
flags S/SA keep state, UDP = keep state, ICMP = keep state).

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |