Date: Wed, 15 Oct 2008 23:18:21 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" <ermal.luci@gmail.com> To: "Jon Radel" <jon@radel.com> Cc: Peter Clark <clarkp@mtmary.edu>, freebsd-pf@freebsd.org Subject: Re: PF syntax error Message-ID: <9a542da30810151418j2afc5086te6a23da90889d26f@mail.gmail.com> In-Reply-To: <48F65AD9.808@radel.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 15, 2008 at 11:04 PM, Jon Radel <jon@radel.com> wrote: > Ermal Lu=E7i wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <koitsu@freebsd.org> w= rote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but he= re >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is givi= ng >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA = \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush >>>> global) >> >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> <bruteforce> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... Well its just code that tries to be smart if he finds s syntax of the form pass in quick on $ext_if proto tcp from any to any port 22 other than that it needs to be certain that you meant what you meant. > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.= 0. > > --Jon Radel > > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a542da30810151418j2afc5086te6a23da90889d26f>