Date: Fri, 9 Jun 2006 02:52:41 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <fee88ee40606090252sbb97d5eqc4515d822cfdf35@mail.gmail.com> In-Reply-To: <fee88ee40606090147wf7943b6xa9fe2f7dae5347f6@mail.gmail.com> References: <fee88ee40606080706u1adc618eo2c8ed889e7e3199f@mail.gmail.com> <4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org> <fee88ee40606081526m46a6a373kc4f138db17205f2b@mail.gmail.com> <fee88ee40606090147wf7943b6xa9fe2f7dae5347f6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Just in case anyone is wondering about the same answers, I decided to check
it out tonight.
When a packet is a state mismatch, doesn't it simply get discarded (assuming
> block policy is "drop")?
>
It appears that pf sends a RST when a state-mismatch happens during the
initial handshake:
if ((*state)->dst.state == TCPS_SYN_SENT &&
> (*state)->src.state == TCPS_SYN_SENT) {
> /* Send RST for state mismatches during handshake */
>
>
That would explain why new connections fail immediately when the state is
mismatched.
On 6/8/06, Kian Mohageri <kian.mohageri@gmail.com> wrote:
> >
> > I'm aware. I meant that as "pass quick" (without any keep state) ;)
> >
> > Kian
> >
> >
> > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote:
> > >
> > > Kian Mohageri wrote:
> > >
> > > > 'pass quick' (non-stateful) fixed the problems but I wasn't
> > > > satisfied with that for obvious reasons.
> > >
> > > The 'quick' keyword does not make the rule non-stateful, it only
> > > aborts
> > > further evaluation of the specific packet.
> > >
> > > See http://www.openbsd.org/faq/pf/filter.html#quick for more
> > > information.
> > >
> > > /Daniel Eriksson
> > >
> >
> >
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40606090252sbb97d5eqc4515d822cfdf35>