Date: Wed, 2 Apr 2008 21:51:05 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Jeremy Chadwick" <koitsu@freebsd.org> Cc: Diego Salvador <salvador_d13@yahoo.com.ph>, fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table Message-ID: <fee88ee40804022151x44148f70t9c78185481e89957@mail.gmail.com> In-Reply-To: <20080403042026.GA88726@eos.sc1.parodius.com> References: <684548.87924.qm@web57414.mail.re1.yahoo.com> <C65291A68BAF57499B18564A1EE4A7612ECBF8@UXCHANGE1.UoA.auckland.ac.nz> <fee88ee40804022117w6d13d002t2d4d75969517c285@mail.gmail.com> <20080403042026.GA88726@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote: > > On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote: > > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan > > <m.pagulayan@auckland.ac.nz> wrote: > > > Hi, > > > > > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > > > which a the release version of pf on freebsd 7.0 when you specify keep > > > state the flag S/A is implied? > > > > > > > Correct, and if you leave out 'keep state' entirely, it will apply > > 'flags S/SA keep state' > > > > e.g., > > > > kian@alvis:~ > > > cat pf.conf > > pass on em0 > > > > kian@alvis:~ > > > pfctl -vnf pf.conf > > pass on em0 all flags S/SA keep state > > I'd like to know what exactly happens to UDP and ICMP packets when > hitting that rule, since UDP and ICMP don't have such flags. The > documentation doesn't really discuss what happens in this case. > > This is why I solicit having 3 separate rules for each protocol (TCP = > flags S/SA keep state, UDP = keep state, ICMP = keep state). > > The flags requirement only applies to TCP, so only the 'keep state' part is applied to UDP/ICMP. -Kian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40804022151x44148f70t9c78185481e89957>