From owner-freebsd-pf@FreeBSD.ORG Thu Apr 3 04:51:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51B9F1065671 for ; Thu, 3 Apr 2008 04:51:06 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0C7718FC1C for ; Thu, 3 Apr 2008 04:51:05 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so4266696pyb.10 for ; Wed, 02 Apr 2008 21:51:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=TuPhF/lw7J/IFilpPbq89TWataYtxvVvcG16YHms/5g=; b=j4BgMDIcO4ieR2MUDhSHnJp1qWduYlP/9HliEeamQ3A69Si/zzZeN5cqo7vS72q/y64zGLqk9beliFmD5WgXFM2NRkb3yky/x/y1cKy6uXjsgdqGsIJ/NUJngxxAcQKOF4XjQAG89SjQniAz4AF643qyX6a9NNGYOw4UhtLYfGA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YuAunCgcBcliihfZZYrdToA3Ek03f/d9HykEX1sRYM9t+vgBoHxmc+nI+4CBP0IMYJWhCmNeKRZrrN+bbBRfPzCncbFpnxGcHMJaTbrk5YveFpd0OFv6iIJrvKV3Cigc5XtlFblkJQZyNoo7ZT1Hp8EQfUBQGvT+rCy0usEEvSk= Received: by 10.65.213.4 with SMTP id p4mr21764564qbq.83.1207198265304; Wed, 02 Apr 2008 21:51:05 -0700 (PDT) Received: by 10.65.116.4 with HTTP; Wed, 2 Apr 2008 21:51:05 -0700 (PDT) Message-ID: Date: Wed, 2 Apr 2008 21:51:05 -0700 From: "Kian Mohageri" To: "Jeremy Chadwick" In-Reply-To: <20080403042026.GA88726@eos.sc1.parodius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <684548.87924.qm@web57414.mail.re1.yahoo.com> <20080403042026.GA88726@eos.sc1.parodius.com> Cc: Diego Salvador , fox@verio.net, freebsd-pf@freebsd.org Subject: Re: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 04:51:06 -0000 On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick wrote: > > On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote: > > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan > > wrote: > > > Hi, > > > > > > What pf version are you using? Correct me if I am wrong guys, on PF4.1 > > > which a the release version of pf on freebsd 7.0 when you specify keep > > > state the flag S/A is implied? > > > > > > > Correct, and if you leave out 'keep state' entirely, it will apply > > 'flags S/SA keep state' > > > > e.g., > > > > kian@alvis:~ > > > cat pf.conf > > pass on em0 > > > > kian@alvis:~ > > > pfctl -vnf pf.conf > > pass on em0 all flags S/SA keep state > > I'd like to know what exactly happens to UDP and ICMP packets when > hitting that rule, since UDP and ICMP don't have such flags. The > documentation doesn't really discuss what happens in this case. > > This is why I solicit having 3 separate rules for each protocol (TCP = > flags S/SA keep state, UDP = keep state, ICMP = keep state). > > The flags requirement only applies to TCP, so only the 'keep state' part is applied to UDP/ICMP. -Kian