PF and State Table
Diego Salvador
salvador_d13 at yahoo.com.ph
Wed Apr 2 05:38:35 UTC 2008
To Whom It May Concerned:
Hi! Can someone explain the details on how PF state table stores stateful filtering option of "keep state" because I know this will be used and applied to TCP, UDP and ICMP/ICMPv6 protocols for stateful filtering. Because when I use this "keep state" option, it is said that it can help in optimizing firewall rules due to rule evaluation will no longer be evaluated when those information are already stored in the table. Is it only IP address (source->destination or destination->source) are being keep in the state table? If it is then does it matter on IP address source-destination direction entries? What about with TCP and its flags? How does PF stored it in the state table? Is there any varying performance if we should specify TCP flags with keep state as compared to TCP with keep state but without flags? For example,
pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state
pass in on $ext_if inet proto TCP from any to 192.168.100.1 keep state flags S/SA
What file in PF on FreeBSD kernel does state table structure is located?
Thank you!
Sincerely Yours,
Diego Salvador
---------------------------------
Tired of spam? Yahoo! Mail has the best spam protection around
http://ph.mail.yahoo.com
More information about the freebsd-pf
mailing list