From owner-freebsd-security@FreeBSD.ORG  Fri Jan 22 18:23:47 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1AFC7106566C
	for <freebsd-security@freebsd.org>;
	Fri, 22 Jan 2010 18:23:47 +0000 (UTC) (envelope-from kalin@el.net)
Received: from mail.el.net (mail.el.net [74.1.12.120])
	by mx1.freebsd.org (Postfix) with ESMTP id BDDA68FC0C
	for <freebsd-security@freebsd.org>;
	Fri, 22 Jan 2010 18:23:46 +0000 (UTC)
Received: (qmail 97678 invoked by uid 1008); 22 Jan 2010 19:39:41 -0000
Received: from unknown (HELO kalins-macbook-pro.local)
	(kalin@el.net@74.1.12.115)
	by mail.el.net with ESMTPA; 22 Jan 2010 19:39:41 -0000
Message-ID: <4B59ED31.10304@el.net>
Date: Fri, 22 Jan 2010 13:23:45 -0500
From: kalin m <kalin@el.net>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "Jason V. Miller" <jmiller@securityfocus.com>
References: <4B5958E2.9010509@el.net>
	<20100122153545.GA23548@mail.securityfocus.com>
In-Reply-To: <20100122153545.GA23548@mail.securityfocus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-security@freebsd.org
Subject: Re: pf rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 18:23:47 -0000




thanks...  i was under the impression that if you have everything 
blocked the initial syn request will be ignored. it doesn't make sense 
otherwise....


Jason V. Miller wrote:
> Others have already given some good feedback (and asked some good
> questions), but:
>
>   
>> pass out all keep state
>>     
>
> You're allowing out the initial TCP SYN, and creating a state entry for the
> connection here. You should be able to make outgoing connections anywhere
> with this rule.
>
> Once a state entry gets created, the state table will match on the traffic
> for the session, and the rules list won't have to be evaluated.
>
> J.
>
>