From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 15:58:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21BE0106566C for ; Sun, 7 Sep 2008 15:58:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 82F588FC1C for ; Sun, 7 Sep 2008 15:58:34 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 21667 invoked by uid 0); 7 Sep 2008 15:31:51 -0000 Received: from 194.231.39.124 by www043.gmx.net with HTTP; Sun, 07 Sep 2008 17:31:51 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 07 Sep 2008 17:31:51 +0200 From: "Olli Hauer" In-Reply-To: Message-ID: <20080907153151.310630@gmx.net> MIME-Version: 1.0 References: To: Yar Tikhiy , freebsd-pf@freebsd.org X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX194iJw2Mj54mG64y1LJChfkBrBcZunHI9abVk85YQ 7mYIaPAjnbQShf9fmPQlSPpWSR3r59hqx6Jw== Content-Transfer-Encoding: 8bit X-GMX-UID: 08Hxe2ZOPTR+K4DpLDIwVAU5c2tpZMte Cc: Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 15:58:35 -0000 > Hi all, > > After upgrading a production machine from 6.x to 7.x, > I noticed that pf would create states from rules without > "keep state". IMSMR, it hadn't happened before, and > the pf.conf(5) manpage still says one has to specify > "keep state" explicitly for pf to create states. > > Just examined this issue more closely on a CURRENT machine. > If I load the following simple pf.conf file: > > > set skip on lo0 > > block return all > > pass out all > > pass in inet proto icmp all icmp-type echoreq > > pass in inet proto tcp from any to any port 22 > > > then I get these actual rules as shown by "pfctl -s rules": > > > block return all > > pass out all flags S/SA keep state > > pass in inet proto icmp all icmp-type echoreq keep state > > pass in inet proto tcp from any to any port = ssh flags S/SA keep > > state > > > Looks like pfctl or pf itself added stateful semantics to my pf.conf > that weren't there initially. Is this effect intended and, if so, how > can I tell pf not to create states from certain rules? > > Thanks! And excuse me if I'm just missing something. > > Yar > Yes, it is not in man pf.conf(5) but in the Rel Notes http://www.freebsd.org/releases/7.0R/relnotes.html See also http://openbsd.org/faq/upgrade41.html (1.2. Operational changes) The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 What is your reason for not using 'S/SA keep state' at this rules? You can disable this with the 'no state' keyword Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03