PF and State Table
Kian Mohageri
kian.mohageri at gmail.com
Thu Apr 3 04:51:06 UTC 2008
On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>
> On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote:
> > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
> > <m.pagulayan at auckland.ac.nz> wrote:
> > > Hi,
> > >
> > > What pf version are you using? Correct me if I am wrong guys, on PF4.1
> > > which a the release version of pf on freebsd 7.0 when you specify keep
> > > state the flag S/A is implied?
> > >
> >
> > Correct, and if you leave out 'keep state' entirely, it will apply
> > 'flags S/SA keep state'
> >
> > e.g.,
> >
> > kian at alvis:~
> > > cat pf.conf
> > pass on em0
> >
> > kian at alvis:~
> > > pfctl -vnf pf.conf
> > pass on em0 all flags S/SA keep state
>
> I'd like to know what exactly happens to UDP and ICMP packets when
> hitting that rule, since UDP and ICMP don't have such flags. The
> documentation doesn't really discuss what happens in this case.
>
> This is why I solicit having 3 separate rules for each protocol (TCP =
> flags S/SA keep state, UDP = keep state, ICMP = keep state).
>
>
The flags requirement only applies to TCP, so only the 'keep state'
part is applied to UDP/ICMP.
-Kian
More information about the freebsd-pf
mailing list