pf buggy on 6.1-STABLE?

Kian Mohageri kian.mohageri at gmail.com
Fri Jun 9 09:52:48 UTC 2006


Just in case anyone is wondering about the same answers, I decided to check
it out tonight.

When a packet is a state mismatch, doesn't it simply get discarded (assuming
> block policy is "drop")?
>

It appears that pf sends a RST when a state-mismatch happens during the
initial handshake:

		if ((*state)->dst.state == TCPS_SYN_SENT &&
> 		    (*state)->src.state == TCPS_SYN_SENT) {
> 			/* Send RST for state mismatches during handshake */
>
>
That would explain why new connections fail immediately when the state is
mismatched.


On 6/8/06, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> >
> > I'm aware.  I meant that as "pass quick" (without any keep state) ;)
> >
> > Kian
> >
> >
> > On 6/8/06, Daniel Eriksson < daniel_k_eriksson at telia.com> wrote:
> > >
> > > Kian Mohageri wrote:
> > >
> > > > 'pass quick' (non-stateful) fixed the problems but I wasn't
> > > > satisfied with that for obvious reasons.
> > >
> > > The 'quick' keyword does not make the rule non-stateful, it only
> > > aborts
> > > further evaluation of the specific packet.
> > >
> > > See http://www.openbsd.org/faq/pf/filter.html#quick for more
> > > information.
> > >
> > > /Daniel Eriksson
> > >
> >
> >
>


More information about the freebsd-pf mailing list