From owner-freebsd-pf@FreeBSD.ORG Wed Oct 15 22:17:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D39AA106564A for ; Wed, 15 Oct 2008 22:17:52 +0000 (UTC) (envelope-from clarkp@mtmary.edu) Received: from fear.mtmary.edu (fear.mtmary.edu [208.24.226.210]) by mx1.freebsd.org (Postfix) with ESMTP id AE66C8FC0C for ; Wed, 15 Oct 2008 22:17:52 +0000 (UTC) (envelope-from clarkp@mtmary.edu) Received: from [127.0.0.1] (war.mtmary.edu [172.16.0.200]) by fear.mtmary.edu (Postfix) with ESMTP id 7A1A5596E44; Wed, 15 Oct 2008 16:19:53 -0500 (CDT) Message-ID: <48F65E78.9060905@mtmary.edu> Date: Wed, 15 Oct 2008 16:19:52 -0500 From: Peter Clark User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Jon Radel References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com> In-Reply-To: <48F65AD9.808@radel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org, =?ISO-8859-1?Q?Ermal_Lu=E7i?= Subject: Re: PF syntax error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 22:17:52 -0000 Jon Radel wrote: > Ermal Luçi wrote: >> On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick wrote: >>> On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>>> Hello, >>>> >>>> I am not sure if I should be here or over at a pf specific list but here >>>> is my problem. >>> I've changed the CC list, so this will now go to the freebsd-pf mailing >>> list instead. >>> >>>> I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>> me problems. >>>> >>>> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> global) >> Is it a copy-paste error or you forgot keep state in there? >> It should look >> pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >> keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. > > --Jon Radel > A number of people all stated (on this list and on questions-freebsd) that it was because I was missing "keep state" from the directive. Sure enough, when I added that it worked. I am curious why this particular syntax is different from the default of "flags S/SA keep state" for the rest of the connections. Is it only on FreeBSD? Thank you for looking at this. Peter Clark