From owner-freebsd-pf@FreeBSD.ORG Sun Jul 10 21:44:01 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93B9116A41C for ; Sun, 10 Jul 2005 21:44:01 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B0BB43D49 for ; Sun, 10 Jul 2005 21:43:59 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j6ALhYIU024485 for ; Sun, 10 Jul 2005 23:43:34 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j6ALhY0G024484 for freebsd-pf@freebsd.org; Sun, 10 Jul 2005 23:43:34 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j6AGpMoO078401 for ; Sun, 10 Jul 2005 18:51:22 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j6AGpMut078400 for freebsd-pf@freebsd.org; Sun, 10 Jul 2005 18:51:22 +0200 (CEST) (envelope-from michael) Date: Sun, 10 Jul 2005 18:51:22 +0200 From: Michael Weiser To: freebsd-pf@freebsd.org Message-ID: <20050710165122.GA70950@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Subject: how to turn off pfsync globally X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2005 21:44:01 -0000 Hello, I'm having trouble silencing pfsync. It insists on broadcasting packets like this rule 38/0(match): block out on xl1: 10.10.1.2 > 0.0.0.0: pfsync 228 to the external network interface for every state change. Up until now I circumvented that by adding the no-sync option to every rule. But since I installed pftpx I get those broadcasts again, seemingly because pftpx's dynamic rules don't have the no-sync option. Now I did another hack and just said ifconfig pfsync0 syncdev lo0 But this certainly isn't the right way to do it[tm]. Confusingly the pf documentation on www.openbsd.org says: > By default, pfsync(4) does not send or receive state table updates on > the network; however, updates can still be monitored using tcpdump(8) or > other such tools on the local machine. Why am I getting them on my external interface then? How do I globally switch off pfsync if I don't need it? Thanks in advance. -- bye, Micha