pf vs. RST attack question
Giorgos Keramidas
keramida at freebsd.org
Mon Oct 6 14:03:08 UTC 2008
On Mon, 6 Oct 2008 14:44:54 +0100, "James Seward" <jamesoff at gmail.com> wrote:
> On Mon, Oct 6, 2008 at 12:51 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>> I've never gotten a definite answer as to what happens if you use "flags
>> S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol.
>> That's why I split them up per protocol on RELENG_6 boxes.
>
> It intelligently ignores it:
> % pfctl -vn -f-
> pass out proto { tcp udp } all flags S/SA keep state
>
> Output:
> pass out proto tcp all flags S/SA keep state
> pass out proto udp all keep state
The ruleset optimizer displays something similar too:
> pfctl -sr -o basic
shows the same pair of rules :)
More information about the freebsd-questions
mailing list