From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 21:18:22 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8059E1065686 for ; Wed, 15 Oct 2008 21:18:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 2F3348FC14 for ; Wed, 15 Oct 2008 21:18:22 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so906613qwb.7 for ; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=l0cERy53mMiZiE03Py8aHswpC+fAeToyBKeHF9WJIvw=; b=UCIbamOfWHbr8KrVxW3/LqGFwEGQcWelc9qpcVFOvgFerzFYTkzX3uQsul6eEde7C/ e0hpni76YLEz/RRXeNGK2OtS/apdX6C0WFfdN6CcxNo5yahlPMGq74/VHxdLrVC59z9D O02jIYRGB64557ALOfYwrJHV+7DYCxRoX8T5M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=VstFnoq4ZWDc1ZzLwnMcsgKOVIB/RdgMAhRCytBz+iiiJdW+TmE5Wyzt6qvVisJgBD R9IXK1SzDmnxMw6eR0EK8YID9doqU1G/6mLHfUTlgSSNtS8XN3x7JIpGIP7JiM3onsWB OIsrjb1TsP8Q+YHbqvUZmV4xlt1MAjjcLB0E8= Received: by 10.214.81.4 with SMTP id e4mr1799181qab.5.1224105501358; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) Received: by 10.214.43.4 with HTTP; Wed, 15 Oct 2008 14:18:21 -0700 (PDT) Message-ID: <9a542da30810151418j2afc5086te6a23da90889d26f@mail.gmail.com> Date: Wed, 15 Oct 2008 23:18:21 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Jon Radel" In-Reply-To: <48F65AD9.808@radel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> Cc: Peter Clark , freebsd-pf@freebsd.org Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 21:18:22 -0000 On Wed, Oct 15, 2008 at 11:04 PM, Jon Radel wrote: > Ermal Lu=E7i wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick w= rote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but he= re >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is givi= ng >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA = \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... Well its just code that tries to be smart if he finds s syntax of the form pass in quick on $ext_if proto tcp from any to any port 22 other than that it needs to be certain that you meant what you meant. > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.= 0. > > --Jon Radel > > --=20 Ermal