From owner-freebsd-pf@FreeBSD.ORG  Wed May  7 21:43:52 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B1D301065670
	for <freebsd-pf@freebsd.org>; Wed,  7 May 2008 21:43:52 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3])
	by mx1.freebsd.org (Postfix) with ESMTP id C72B28FC22
	for <freebsd-pf@freebsd.org>; Wed,  7 May 2008 21:43:51 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: by mx01.sc1.parodius.com (Postfix, from userid 1000)
	id AF8251CC05B; Wed,  7 May 2008 14:43:51 -0700 (PDT)
Date: Wed, 7 May 2008 14:43:51 -0700
From: Jeremy Chadwick <koitsu@freebsd.org>
To: Ansar Mohammed <ansarm@gmail.com>
Message-ID: <20080507214351.GA74641@eos.sc1.parodius.com>
References: <004f01c8b068$89c89350$9d59b9f0$@com>
	<005101c8b06b$5f0743c0$1d15cb40$@com>
	<008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx>
	<00a401c8b084$87da9540$978fbfc0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <00a401c8b084$87da9540$978fbfc0$@com>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: freebsd-pf@freebsd.org
Subject: Re: UDP weirdness
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2008 21:43:52 -0000

On Wed, May 07, 2008 at 04:54:22PM -0400, Ansar Mohammed wrote:
> But I thought pf would be tracking state?
> Isnt that the whole point of statefull firewalls?

UDP is stateless, however pf still tracks the "state" in the sense that
it knows when there's an outbound or inbound initial packet for UDP,
thus creates a "state" for it.  It can do the same with ICMP.  I believe
the teardown/state removal is based on a timeout (of when it last sees
packets matching that src/dst IP and port).

Keep in mind that if you're using RELENG_6, you'll need "keep state" on
those pass in/pass out rules you used.  If you're using RELENG_7, "keep
state" is implicit, so you won't need to specify it in your config.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |