PF syntax error
Miroslav Lachman
000.fbsd at quip.cz
Wed Oct 15 22:19:19 UTC 2008
Jon Radel wrote:
> Ermal Luçi wrote:
>
>>On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>>
>>>On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote:
>>>
>>>>Hello,
>>>>
>>>>I am not sure if I should be here or over at a pf specific list but here
>>>>is my problem.
>>>
>>>I've changed the CC list, so this will now go to the freebsd-pf mailing
>>>list instead.
>>>
>>>
>>>>I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving
>>>>me problems.
>>>>
>>>>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \
>>>>
>>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>>global)
>>
>>Is it a copy-paste error or you forgot keep state in there?
>>It should look
>>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \
>>keep state(max-src-conn 15, max-src-conn-rate 5/3, overload
>><bruteforce> flush global)
>
>
> And here I thought "keep state" was the default in the pf shipped with
> FreeBSD 7.0....
>
> Actually, it is, as is "flags S/SA" on TCP connections. Those defaults
> came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0.
Yes, keep state is the default, but syntax for source tracking required
these explicitly as stated in man pf.conf:
------------- man pf.conf --------------
STATEFUL TRACKING OPTIONS
A number of options related to stateful tracking can be applied on a per
rule basis. keep state, modulate state and synproxy state support these
options, and *keep state must be specified explicitly* to apply options
to a rule.
------------- man pf.conf --------------
Miroslav Lachman
More information about the freebsd-pf
mailing list