Date: Thu, 08 Nov 2007 20:08:52 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: net@freebsd.org Subject: pf misfeature Message-ID: <86zlxoblmj.fsf@ds4.des.no>
next in thread | raw e-mail | index | archive | help
Given appropriate definitions for $eth and $lan, you'd expect the
following rule to simply pass all traffic originating from and destined
for the LAN:
pass on $eth from $lan to $lan
However, in pf, "keep state" is *implicit* (why?), so you'd expect it to
turn into something like this:
pass on $eth from $lan to $lan keep state
but what you actually get is this:
pass on $eth from $lan to $lan flags S/SA keep state
which only matches TCP handshakes, so your UDP streams are screwed.
Workaround: explicitly specify TCP and UDP, causing pf to split the rule
into two:
pass on $eth inet proto { tcp, udp } from $lan to $lan
becomes
pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
pass on $eth inet proto udp from $lan to $lan keep state
There does not seem to be any way to turn off this misguided rewriting
of firewall rules.
DES
--
Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zlxoblmj.fsf>