From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:54:26 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1AD5106567A for ; Wed, 7 May 2008 20:54:26 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id 86F4B8FC17 for ; Wed, 7 May 2008 20:54:26 +0000 (UTC) (envelope-from ansarm@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so618750pyb.10 for ; Wed, 07 May 2008 13:54:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; bh=hpXh/I4YE0ppm5bX57ahu3a/YEpFpuxN6x9gTZz0i7Q=; b=yEW0G5ydDd/VTDMk9g1kS3YJt6wackhu+KiTDkrBxggQJfVCcRpovwjmyjTNA5/Qx12kQh0QM0JDFETbDQ//zbXxqaXmSeDYm80o05OnNgQyAGQ5yWAwG1OD7pKSvRul0TLfG8u6QDfdIKOlqN0AKl4ltAplf2qqtWtiEvrpA3Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:content-language; b=OMKms3ciYSj6NF1BFd5Eu8I0Zy2bwppe7lMWMc1oOnaB8a02wb3S1QPRbEoRATyrNGE4qX6YsRcJh+VY2iQ29ULq+kkKa0Z6afC1SwPXHt+olvMHO/UqU2lf+/jOeN02hoTrdn1NRzBu+DvBKmnHVVQc/2Vrum/HmxCEAJquB68= Received: by 10.65.116.10 with SMTP id t10mr5039024qbm.77.1210193665140; Wed, 07 May 2008 13:54:25 -0700 (PDT) Received: from ansarmm2 ( [206.248.190.95]) by mx.google.com with ESMTPS id d5sm2199912qbd.8.2008.05.07.13.54.23 (version=SSLv3 cipher=RC4-MD5); Wed, 07 May 2008 13:54:24 -0700 (PDT) From: "Ansar Mohammed" To: "'Jille'" References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> In-Reply-To: <482215F4.1080806@quis.cx> Date: Wed, 7 May 2008 16:54:22 -0400 Message-ID: <00a401c8b084$87da9540$978fbfc0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Aciwg/GPI5k62vZdTBW7EoGhGqmv/AAAGspQ Content-Language: en-ca Cc: freebsd-pf@freebsd.org Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:54:26 -0000 But I thought pf would be tracking state? Isnt that the whole point of statefull firewalls? > -----Original Message----- > From: Jille [mailto:jille@quis.cx] > Sent: May 7, 2008 4:50 PM > To: Ansar Mohammed > Cc: 'Kevin K'; freebsd-pf@freebsd.org > Subject: Re: UDP weirdness > > > > Ansar Mohammed schreef: > > Ok, so adding the line as you suggested worked. > > Thanks Kevin. > > > > But why do I need to have both entries in for > > > > pass in proto udp from any to any port 53 > > pass out proto udp from any to any port 53 > > > > what makes UDP so special? > UDP is stateless, > With TCP you've got an connection (identified by: local host:port and > remote host:port) > With UDP, well, you just trow the packages over the line, and hope the > is (still) someone on the other end. > > So the is (almost) no way to detect whether packets are responses to > eachother > > -- Jille