Date: Mon, 6 Oct 2008 14:44:54 +0100 From: "James Seward" <jamesoff@gmail.com> To: "Jeremy Chadwick" <koitsu@freebsd.org> Cc: Giorgos Keramidas <keramida@ceid.upatras.gr>, Scott Bennett <bennett@cs.niu.edu>, freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question Message-ID: <720051dc0810060644n14495ee4k8f2942d16e634c78@mail.gmail.com> In-Reply-To: <20081006115101.GA19442@icarus.home.lan> References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <871vyuj6ul.fsf@kobe.laptop> <20081006115101.GA19442@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 6, 2008 at 12:51 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote:
> I've never gotten a definite answer as to what happens if you use "flags
> S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol.
> That's why I split them up per protocol on RELENG_6 boxes.
It intelligently ignores it:
% pfctl -vn -f-
pass out proto { tcp udp } all flags S/SA keep state
Output:
pass out proto tcp all flags S/SA keep state
pass out proto udp all keep state
/JMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?720051dc0810060644n14495ee4k8f2942d16e634c78>