pf creating states by default now?
Olli Hauer
ohauer at gmx.de
Sun Sep 7 21:31:45 UTC 2008
> >> Looks like pfctl or pf itself added stateful semantics to my pf.conf
> >> that weren't there initially. Is this effect intended and, if so,
> >> how
> >> can I tell pf not to create states from certain rules?
> >>
> >> Thanks! And excuse me if I'm just missing something.
> >>
> >> Yar
> >>
> >
> > Yes, it is not in man pf.conf(5) but in the Rel Notes http://
> > www.freebsd.org/releases/7.0R/relnotes.html
> > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational
> > changes)
>
> Thank you for pointing me out!
>
> > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/
> > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3
>
> And in OpenBSD-current the manpage still reads: "...keep state
> must be specified explicitly to apply [stateful tracking] options
> to a rule."
>
> Perhaps we can fix this issue in our src tree and then send the
> patch upstream to the OpenBSD folks, can't we? In Subversion, the
> price of touching an imported file is not nearly as high as it used
> to be in CVS.
>
Yes, parts of the document shoud be updated.
> > What is your reason for not using 'S/SA keep state' at this rules?
>
> I think I'm hitting some obscure issue with pf state synchronisation
> between two routers, so I'd like to prevent at least internal
> connections
> from being torn when a switch from the master to the backup router
> occurs
> via carp. The routers have a lot of vlan interfaces, and I'd like to
> limit
> stateful filtering to the uplink vlan only.
>
> > You can disable this with the 'no state' keyword
>
> I see now. Your help is much appreciated!
>
> Yar
Hm, maybe something like this can be your solution (example for ssh traffic)
# no state rule to manage the router interface (not carp/vlans/cloned interfaces)
pass in quick inet proto tcp from $internal to $if_base:0 port 22 no state
# all other ssh traffic
pass in inet proto tcp from any to any port 22
Regards,
olli
--
Psssst! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
More information about the freebsd-pf
mailing list