Date: Fri, 9 Jun 2006 01:47:50 -0700 From: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <fee88ee40606090147wf7943b6xa9fe2f7dae5347f6@mail.gmail.com> In-Reply-To: <fee88ee40606081526m46a6a373kc4f138db17205f2b@mail.gmail.com> References: <fee88ee40606080706u1adc618eo2c8ed889e7e3199f@mail.gmail.com> <4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org> <fee88ee40606081526m46a6a373kc4f138db17205f2b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think it is also worth mentioning that the connections failed (at least for me) immediately. There does not appear to be any timeouts. Initially, this is what lead me to believe it was NOT pf because my block policy was drop, not reject. When a packet is a state mismatch, doesn't it simply get discarded (assuming block policy is "drop")? If so, shouldn't the client simply assume packet was lost and retransmit, or time out after a period of time? I am having trouble understanding why the connection would fail immediately if pf was dropping packets. That, however, should mean that disabling pf wouldn't help -- but it does. Does pf handle state-mismatch differently? Maybe a pf expert could speak on that. Kian On 6/8/06, Kian Mohageri <kian.mohageri@gmail.com> wrote: > > I'm aware. I meant that as "pass quick" (without any keep state) ;) > > Kian > > > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote: > > > > Kian Mohageri wrote: > > > > > 'pass quick' (non-stateful) fixed the problems but I wasn't > > > satisfied with that for obvious reasons. > > > > The 'quick' keyword does not make the rule non-stateful, it only aborts > > further evaluation of the specific packet. > > > > See http://www.openbsd.org/faq/pf/filter.html#quick for more > > information. > > > > /Daniel Eriksson > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40606090147wf7943b6xa9fe2f7dae5347f6>