Date: Thu, 8 May 2008 00:01:24 +0300 From: "Valentin Bud" <valentin.bud@gmail.com> To: "Kevin K" <kkutzko@teksavvy.com> Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness Message-ID: <139b44430805071401h664fe840r541afa063b7fe0ca@mail.gmail.com> In-Reply-To: <006c01c8b084$e1d82670$a5887350$@com> References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com> <006c01c8b084$e1d82670$a5887350$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
from pf faq --- http://www.openbsd.org/faq/pf/filter.html#pass quote: " One will sometimes hear it said that, "One can not create state with UDP as UDP is a stateless protocol!" While it is true that a UDP communication session does not have any concept of state (an explicit start and stop of communications), this does not have any impact on PF's ability to create state for a UDP session. In the case of protocols without "start" and "end" packets, PF simply keeps track of how long it has been since a matching packet has gone through. If the timeout is reached, the state is cleared. The timeout values can be set in the options<http://www.openbsd.org/faq/pf/options.html>section of the pf.conf file." On Wed, May 7, 2008 at 11:56 PM, Kevin K <kkutzko@teksavvy.com> wrote: > You cannot track state of stateless protocols such as UDP. > > > > > -----Original Message----- > > From: Ansar Mohammed [mailto:ansarm@gmail.com] > > Sent: Wednesday, May 07, 2008 4:54 PM > > To: 'Jille' > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: RE: UDP weirdness > > > > But I thought pf would be tracking state? > > Isnt that the whole point of statefull firewalls? > > > > > > > > > -----Original Message----- > > > From: Jille [mailto:jille@quis.cx] > > > Sent: May 7, 2008 4:50 PM > > > To: Ansar Mohammed > > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > > Subject: Re: UDP weirdness > > > > > > > > > > > > Ansar Mohammed schreef: > > > > Ok, so adding the line as you suggested worked. > > > > Thanks Kevin. > > > > > > > > But why do I need to have both entries in for > > > > > > > > pass in proto udp from any to any port 53 > > > > pass out proto udp from any to any port 53 > > > > > > > > what makes UDP so special? > > > UDP is stateless, > > > With TCP you've got an connection (identified by: local host:port and > > > remote host:port) > > > With UDP, well, you just trow the packages over the line, and hope > > the > > > is (still) someone on the other end. > > > > > > So the is (almost) no way to detect whether packets are responses to > > > eachother > > > > > > -- Jille > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Kind Regards, Valentin Bud www.syk.ro www.spreadbsd.org/aff/86/1 www.spreadbsd.org/aff/86/2 valentin [dot] bud [at] gmail [dot] com valentin [dot] bud [at] dep [dot] upt [dot] ro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?139b44430805071401h664fe840r541afa063b7fe0ca>