Date: Wed, 7 May 2008 14:43:51 -0700 From: Jeremy Chadwick <koitsu@freebsd.org> To: Ansar Mohammed <ansarm@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: UDP weirdness Message-ID: <20080507214351.GA74641@eos.sc1.parodius.com> In-Reply-To: <00a401c8b084$87da9540$978fbfc0$@com> References: <004f01c8b068$89c89350$9d59b9f0$@com> <005101c8b06b$5f0743c0$1d15cb40$@com> <008b01c8b081$c74692e0$55d3b8a0$@com> <482215F4.1080806@quis.cx> <00a401c8b084$87da9540$978fbfc0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 07, 2008 at 04:54:22PM -0400, Ansar Mohammed wrote: > But I thought pf would be tracking state? > Isnt that the whole point of statefull firewalls? UDP is stateless, however pf still tracks the "state" in the sense that it knows when there's an outbound or inbound initial packet for UDP, thus creates a "state" for it. It can do the same with ICMP. I believe the teardown/state removal is based on a timeout (of when it last sees packets matching that src/dst IP and port). Keep in mind that if you're using RELENG_6, you'll need "keep state" on those pass in/pass out rules you used. If you're using RELENG_7, "keep state" is implicit, so you won't need to specify it in your config. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080507214351.GA74641>