From owner-freebsd-stable@FreeBSD.ORG  Fri Jun  9 09:52:48 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F347C16A41A
	for <freebsd-stable@freebsd.org>; Fri,  9 Jun 2006 09:52:47 +0000 (UTC)
	(envelope-from kian.mohageri@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C8FCA43D73
	for <freebsd-stable@freebsd.org>; Fri,  9 Jun 2006 09:52:46 +0000 (GMT)
	(envelope-from kian.mohageri@gmail.com)
Received: by nf-out-0910.google.com with SMTP id l23so541357nfc
	for <freebsd-stable@freebsd.org>; Fri, 09 Jun 2006 02:52:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:references;
	b=CJzBvD+OuFaW9OWtc305q9Fn2MHg1bCNv+qNetYKKT6riLtD8LUUP/ATEe+XXfcCtUINCGjJNY+QmpBs/KstDYcMRbTaU+nDuWxkABn4ia5Bfc08akQMrl8w6rLzWXG4GTSsCeXS4+L9ZtGPEgoDXHzDH+056ZzcyPm4KQEGS74=
Received: by 10.48.225.3 with SMTP id x3mr1163474nfg;
	Fri, 09 Jun 2006 02:50:07 -0700 (PDT)
Received: by 10.48.108.17 with HTTP; Fri, 9 Jun 2006 02:52:41 -0700 (PDT)
Message-ID: <fee88ee40606090252sbb97d5eqc4515d822cfdf35@mail.gmail.com>
Date: Fri, 9 Jun 2006 02:52:41 -0700
From: "Kian Mohageri" <kian.mohageri@gmail.com>
In-Reply-To: <fee88ee40606090147wf7943b6xa9fe2f7dae5347f6@mail.gmail.com>
MIME-Version: 1.0
References: <fee88ee40606080706u1adc618eo2c8ed889e7e3199f@mail.gmail.com>
	<4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org>
	<fee88ee40606081526m46a6a373kc4f138db17205f2b@mail.gmail.com>
	<fee88ee40606090147wf7943b6xa9fe2f7dae5347f6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: pf buggy on 6.1-STABLE?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2006 09:52:48 -0000

Just in case anyone is wondering about the same answers, I decided to check
it out tonight.

When a packet is a state mismatch, doesn't it simply get discarded (assuming
> block policy is "drop")?
>

It appears that pf sends a RST when a state-mismatch happens during the
initial handshake:

		if ((*state)->dst.state == TCPS_SYN_SENT &&
> 		    (*state)->src.state == TCPS_SYN_SENT) {
> 			/* Send RST for state mismatches during handshake */
>
>
That would explain why new connections fail immediately when the state is
mismatched.


On 6/8/06, Kian Mohageri <kian.mohageri@gmail.com> wrote:
> >
> > I'm aware.  I meant that as "pass quick" (without any keep state) ;)
> >
> > Kian
> >
> >
> > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote:
> > >
> > > Kian Mohageri wrote:
> > >
> > > > 'pass quick' (non-stateful) fixed the problems but I wasn't
> > > > satisfied with that for obvious reasons.
> > >
> > > The 'quick' keyword does not make the rule non-stateful, it only
> > > aborts
> > > further evaluation of the specific packet.
> > >
> > > See http://www.openbsd.org/faq/pf/filter.html#quick for more
> > > information.
> > >
> > > /Daniel Eriksson
> > >
> >
> >
>