From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 13:58:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34DC41065670 for ; Sun, 7 Sep 2008 13:58:18 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id B411B8FC08 for ; Sun, 7 Sep 2008 13:58:17 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fk-out-0910.google.com with SMTP id k31so809953fkk.11 for ; Sun, 07 Sep 2008 06:58:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:mime-version :content-transfer-encoding:message-id:content-type:to:from:subject :date:x-mailer:sender; bh=8gs/5Zt3fbXdgIb5/W28buO/I8x00rVMxVsgZuzEZ4Y=; b=k8IwqfELUsQVlkpbHJW4y18YukguYCd/jPG1vifEZ26e5PUsaqhSFInX1waC1Vk9LD f4VAFhqvWXmV7w8b1pwYYxHsueBUuhV9IBkjHnJR003dD2S3QeeWWtO1soxMciNSHYl5 sLXQ0gYH3ghPTp1Qkt2kYnMBta8dPSVJWjkGA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:content-transfer-encoding:message-id:content-type:to :from:subject:date:x-mailer:sender; b=JI/Qs+9lmQc6runvMu1tiPI4EBq99jdcXYAYUFHuB3QxO3EqWdOp1q+mBXtJeQQUc7 O/hTF1DBLb8TrJk6SaR84OWDGuuFU2eSCLPgUGowlwovBNiCiiimUei//f+sKS94CLd3 BhI70HhYKyvGVA58R76buN8enhqGXNzc2BqHE= Received: by 10.180.227.2 with SMTP id z2mr10349263bkg.20.1220794403647; Sun, 07 Sep 2008 06:33:23 -0700 (PDT) Received: from ?10.10.10.6? ( [83.237.56.217]) by mx.google.com with ESMTPS id p9sm2480085fkb.5.2008.09.07.06.33.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 06:33:22 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v753.1) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Yar Tikhiy Date: Sun, 7 Sep 2008 17:33:07 +0400 X-Mailer: Apple Mail (2.753.1) Sender: Yar Tikhiy Subject: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 13:58:18 -0000 Hi all, After upgrading a production machine from 6.x to 7.x, I noticed that pf would create states from rules without "keep state". IMSMR, it hadn't happened before, and the pf.conf(5) manpage still says one has to specify "keep state" explicitly for pf to create states. Just examined this issue more closely on a CURRENT machine. If I load the following simple pf.conf file: > set skip on lo0 > block return all > pass out all > pass in inet proto icmp all icmp-type echoreq > pass in inet proto tcp from any to any port 22 then I get these actual rules as shown by "pfctl -s rules": > block return all > pass out all flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in inet proto tcp from any to any port = ssh flags S/SA keep > state Looks like pfctl or pf itself added stateful semantics to my pf.conf that weren't there initially. Is this effect intended and, if so, how can I tell pf not to create states from certain rules? Thanks! And excuse me if I'm just missing something. Yar