[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: PF and State Table
From:       "Kian Mohageri" <kian.mohageri () gmail ! com>
Date:       2008-04-03 4:51:05
Message-ID: fee88ee40804022151x44148f70t9c78185481e89957 () mail ! gmail ! com
[Download RAW message or body]

On Wed, Apr 2, 2008 at 9:20 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote:
>
> On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote:
>  > On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
>  > <m.pagulayan@auckland.ac.nz> wrote:
>  > > Hi,
>  > >
>  > >  What pf version are you using? Correct me if I am wrong guys, on PF4.1
>  > >  which a the release version of pf on freebsd 7.0 when you specify keep
>  > >  state the flag S/A is implied?
>  > >
>  >
>  > Correct, and if you leave out 'keep state' entirely, it will apply
>  > 'flags S/SA keep state'
>  >
>  > e.g.,
>  >
>  > kian@alvis:~
>  > > cat pf.conf
>  > pass on em0
>  >
>  > kian@alvis:~
>  > > pfctl -vnf pf.conf
>  > pass on em0 all flags S/SA keep state
>
>  I'd like to know what exactly happens to UDP and ICMP packets when
>  hitting that rule, since UDP and ICMP don't have such flags.  The
>  documentation doesn't really discuss what happens in this case.
>
>  This is why I solicit having 3 separate rules for each protocol (TCP =
>  flags S/SA keep state, UDP = keep state, ICMP = keep state).
>
>

The flags requirement only applies to TCP, so only the 'keep state'
part is applied to UDP/ICMP.

-Kian

[prev in list] [next in list] [prev in thread] [next in thread]