[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: pf.conf man page question (pass rule matching vs. state creation)
From:       corey clingo <clingeaux () gmail ! com>
Date:       2012-01-29 23:45:21
Message-ID: CAMZCDkJV=SkGv+CL6W8S_N2z1cocqzocycRE9-5G1qJB=zqyDQ () mail ! gmail ! com
[Download RAW message or body]

On Sun, Jan 29, 2012 at 5:35 PM, corey clingo <clingeaux@gmail.com> wrote:
> On Sun, Jan 29, 2012 at 4:45 PM, Henning Brauer <lists-openbsd@bsws.de>
wrote:
>> * corey clingo <clingeaux@gmail.com> [2012-01-29 19:47]:
>>> Anyway, I'm reading the pf.conf man page, and I interpret it as saying
>>> that the last matching pass/block rule determines what action is
>>> taken, but the _first_ matching pass rule is what creates the state.
>>> Am I interpreting this correctly?
>>
>> no, the last one creates state (simplified, it isn't THAT simple
>> anymore, but that is still what it comes down to).
>>
>>> Should I be using match rules to do nat-to/rdr-to instead?
>>
>> should? maybe. depends. whatever is easier in your case.
>> could? yes.
>>
>> --
>> Henning Brauer, hb@bsws.de, henning@openbsd.org
>> BS Web Services, http://bsws.de, Full-Service ISP
>> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
Managed
>> Henning Brauer Consulting, http://henningbrauer.com/
>>
>
> OK, thanks, that clarifies things. That being the case, I can see
> where using pass or match rules could each be better in different
> situations (I used pass rules for my quick migration, but may try
> rewriting the ruleset later using match rules to see if it improves
> clarity or intent).
>
> As always, thanks for all the responses.
>
> FWIW. my interpretation came from the following in the "PACKET
> FILTERING" section of pf.conf(5):
>
>   "For block and pass, the last matching rule decides what action is taken;
>    if no rule matches the packet, the default action is to pass the
packet."
>
> and, a bit later,
>
>    "By default pf(4) filters packets statefully: the first time a packet
>     matches a pass rule, a state entry is created."
>
> Kind regards,
> Corey

Hmm...on further reflection, I suppose the second section means that
the state is created when the first _packet_ (of possibly many in a
connection) matches the pass rule that ends up acting on it, rather
than meaning state is created by the first _pass rule_ in the ruleset
that that packet matches.

Oh well, I understand it now. Thanks again.

[prev in list] [next in list] [prev in thread] [next in thread]