From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 21:31:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 702A61065683 for ; Sun, 7 Sep 2008 21:31:45 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id DDDAF8FC08 for ; Sun, 7 Sep 2008 21:31:44 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 19448 invoked by uid 0); 7 Sep 2008 21:31:43 -0000 Received: from 194.231.39.124 by www123.gmx.net with HTTP; Sun, 07 Sep 2008 23:31:43 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 07 Sep 2008 23:31:43 +0200 From: "Olli Hauer" In-Reply-To: Message-ID: <20080907213143.15910@gmx.net> MIME-Version: 1.0 References: <20080907153151.310630@gmx.net> To: Yar Tikhiy X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+cxQYVaoCcBTOkLnlZyW8/uxb+6s/t0bkkXwAdlR RHbNEte++9qfQaINE9AKZIIYDN9yXc7G5Iqg== Content-Transfer-Encoding: 8bit X-GMX-UID: USWmHHAmbXB+SdKoLzQ2XMoiLyUmZUio Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 21:31:45 -0000 > >> Looks like pfctl or pf itself added stateful semantics to my pf.conf > >> that weren't there initially. Is this effect intended and, if so, > >> how > >> can I tell pf not to create states from certain rules? > >> > >> Thanks! And excuse me if I'm just missing something. > >> > >> Yar > >> > > > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > > www.freebsd.org/releases/7.0R/relnotes.html > > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > > changes) > > Thank you for pointing me out! > > > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 > > And in OpenBSD-current the manpage still reads: "...keep state > must be specified explicitly to apply [stateful tracking] options > to a rule." > > Perhaps we can fix this issue in our src tree and then send the > patch upstream to the OpenBSD folks, can't we? In Subversion, the > price of touching an imported file is not nearly as high as it used > to be in CVS. > Yes, parts of the document shoud be updated. > > What is your reason for not using 'S/SA keep state' at this rules? > > I think I'm hitting some obscure issue with pf state synchronisation > between two routers, so I'd like to prevent at least internal > connections > from being torn when a switch from the master to the backup router > occurs > via carp. The routers have a lot of vlan interfaces, and I'd like to > limit > stateful filtering to the uplink vlan only. > > > You can disable this with the 'no state' keyword > > I see now. Your help is much appreciated! > > Yar Hm, maybe something like this can be your solution (example for ssh traffic) # no state rule to manage the router interface (not carp/vlans/cloned interfaces) pass in quick inet proto tcp from $internal to $if_base:0 port 22 no state # all other ssh traffic pass in inet proto tcp from any to any port 22 Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03