FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules
Tom Uffner
tom at uffner.com
Wed May 14 23:34:52 UTC 2008
Mark Pagulayan wrote:
> OS: FreeBSD 7.0-RELEASE
>
> Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically
> inserts 'Flags S/SA' to rules?
this is correct.
> The problem is that when it comes to this rule:
>
> pass in quick on $int_if
>
> after loading to pf
>
> pass in quick on em0 flags S/SA keep state
>
> The way I see this is that this rule would be applied to udp traffic as
> well which will be dropped/blocked because flags only work for tcp and
> this might be the cause of state-mismatches that I see in the table -
>
> state-mismatch 11577272 48.7/s
you are misinterpreting. Pf just does the right thing in most cases. your
rule "pass in quick on $int_if" is actually interpreted as the following 3
rules:
pass in quick on em0 proto tcp flags S/SA keep state
pass in quick on em0 proto udp keep state
pass in quick on em0 prote icmp keep state
>
> How can we prevent pf from loading the flags S/SA in the rules
> automatically?
add the phrase "flags any".
you must also add "no state" now if you do not want stateful filtering
for some reason.
> Also what is the effect of this on the block rule?
>
> 'block in log on $ext_if all'
> 'block return out log on $ext_if all'
you shouldn't have to worry about it. in almost all cases pf will do what
you mean with that.
tom
More information about the freebsd-pf
mailing list