From owner-freebsd-pf@FreeBSD.ORG Wed May 7 20:56:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 659EA1065673 for ; Wed, 7 May 2008 20:56:58 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) Received: from ironport2-out.teksavvy.com (ironport2-out.pppoe.ca [206.248.154.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2BAE18FC13 for ; Wed, 7 May 2008 20:56:57 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AsQEAJuyIUhMCqa7/2dsb2JhbACBU4l3oikE X-IronPort-AV: E=Sophos;i="4.27,450,1204520400"; d="scan'208";a="20042838" Received: from mail.pppoe.ca (HELO mail.teksavvy.com) ([65.39.192.132]) by ironport2-out.teksavvy.com with ESMTP; 07 May 2008 16:56:56 -0400 Received: from kevin ([76.10.166.187]) by mail.teksavvy.com (Internet Mail Server v1.0) with ASMTP id NZL78056; Wed, 07 May 2008 16:56:56 -0400 From: "Kevin K" To: "'Ansar Mohammed'" , "'Jille'" References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> In-Reply-To: <00a401c8b084$87da9540$978fbfc0$@com> Date: Wed, 7 May 2008 16:56:54 -0400 Message-ID: <006c01c8b084$e1d82670$a5887350$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Aciwg/GPI5k62vZdTBW7EoGhGqmv/AAAGspQAAAdsfA= Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 20:56:58 -0000 You cannot track state of stateless protocols such as UDP. > -----Original Message----- > From: Ansar Mohammed [mailto:ansarm@gmail.com] > Sent: Wednesday, May 07, 2008 4:54 PM > To: 'Jille' > Cc: 'Kevin K'; freebsd-pf@freebsd.org > Subject: RE: UDP weirdness > > But I thought pf would be tracking state? > Isnt that the whole point of statefull firewalls? > > > > > -----Original Message----- > > From: Jille [mailto:jille@quis.cx] > > Sent: May 7, 2008 4:50 PM > > To: Ansar Mohammed > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: Re: UDP weirdness > > > > > > > > Ansar Mohammed schreef: > > > Ok, so adding the line as you suggested worked. > > > Thanks Kevin. > > > > > > But why do I need to have both entries in for > > > > > > pass in proto udp from any to any port 53 > > > pass out proto udp from any to any port 53 > > > > > > what makes UDP so special? > > UDP is stateless, > > With TCP you've got an connection (identified by: local host:port and > > remote host:port) > > With UDP, well, you just trow the packages over the line, and hope > the > > is (still) someone on the other end. > > > > So the is (almost) no way to detect whether packets are responses to > > eachother > > > > -- Jille