From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 05:38:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5ED9106564A for ; Wed, 2 Apr 2008 05:38:35 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from n77.bullet.mail.sp1.yahoo.com (n77.bullet.mail.sp1.yahoo.com [98.136.44.45]) by mx1.freebsd.org (Postfix) with SMTP id 86C4C8FC18 for ; Wed, 2 Apr 2008 05:38:35 +0000 (UTC) (envelope-from salvador_d13@yahoo.com.ph) Received: from [216.252.122.217] by n77.bullet.mail.sp1.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [68.142.237.90] by t2.bullet.sp1.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [66.196.97.146] by t6.bullet.re3.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 Received: from [127.0.0.1] by omp204.mail.re3.yahoo.com with NNFMP; 02 Apr 2008 05:26:19 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 489101.14322.bm@omp204.mail.re3.yahoo.com Received: (qmail 72216 invoked by uid 60001); 2 Apr 2008 05:26:19 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ph; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=FV5mYg0FXu4k1IKmRi9rcXesHL5/mT8Zn8HwFpa2CPC6hbo/kjLXVvfeZRv4/23APPHMHx57CCVMmvln+AFl0DbX0uxLGCbVU5sdDkDMyyvrNBOhYm3l/qEYYA/v4r2/pgZbWlqlnEgjXAF56j4yxFYDXN9TAvK9Bx7A8AS1Kho=; X-YMail-OSG: mP1W9XAVM1l8vfnZ4K3iBckI7wncmt47VrQ1drnx9NJTAfLiDAQOW6_10bkwAs2fs0p0748YSoBNn2j_WkkxhDIbiyXwGTEI8MagGEdCQGYl2aP6XRanAg-- Received: from [58.71.34.137] by web57401.mail.re1.yahoo.com via HTTP; Tue, 01 Apr 2008 22:26:18 PDT Date: Tue, 1 Apr 2008 22:26:18 -0700 (PDT) From: Diego Salvador To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <88224.68960.qm@web57401.mail.re1.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF and State Table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 05:38:35 -0000 To Whom It May Concerned: Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example, pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA What file in PF on FreeBSD kernel does state table structure is located? Thank you! Sincerely Yours, Diego Salvador --------------------------------- Tired of spam? Yahoo! Mail has the best spam protection around http://ph.mail.yahoo.com