pf creating states by default now?
Yar Tikhiy
yar at comp.chem.msu.su
Sun Sep 7 21:24:17 UTC 2008
On Sep 8, 2008, at 1:09 AM, Chris Smith wrote:
> On Sunday 07 September 2008 04:53:20 pm Yar Tikhiy wrote:
>> And in OpenBSD-current the manpage still reads: "...keep state
>> must be specified explicitly to apply [stateful tracking] options
>> to a rule."
>
> Not in the -current running here. The manpage reads:
> "A number of options related to stateful tracking can be applied on
> a per-rule
> basis. keep state, modulate state and synproxy state support these
> options,
> and keep state must be specified explicitly to apply options to a
> rule."
>
> And the "options" referred to are listed in that section, such as max,
> timeout, no-sync, sloppy, etc. If you're not applying the options,
> keep state
> is implied.
Sorry, I misread that paragraph. I also missed this:
pass The packet is passed; state is created state unless the
no state
option is specified.
By default pf(4) filters packets statefully; the first time a
packet
matches a pass rule, a state entry is created; for subsequent
packets the
filter checks whether the packet matches any state.
Excuse me for the noise.
Yar
More information about the freebsd-pf
mailing list