From owner-freebsd-pf@FreeBSD.ORG Sun Sep 7 20:53:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99DBD1065674 for ; Sun, 7 Sep 2008 20:53:38 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 325CC8FC1A for ; Sun, 7 Sep 2008 20:53:37 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so1191334fgb.35 for ; Sun, 07 Sep 2008 13:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:in-reply-to:references :mime-version:x-priority:content-type:message-id:cc :content-transfer-encoding:from:subject:date:to:x-mailer:sender; bh=/tZg+3/uMnfXUf0dBdbuLlCK92STnri99+VqiHF8Mr4=; b=wO2fW1KjemIh30Y7LEcUcGqDoW/MliDmsPPlzFaA95a9G2wVzo/ijw+FDxWXNJvrvV kH7+iLaRJW4iWEY3guWqaFf35xg/LHjtWnhCenGki170K2PnDhwAE2HetGcNLPTO73FM QQyk/sUB0r/539xFpSjwZJiptvZ4JF11Xr4z8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=in-reply-to:references:mime-version:x-priority:content-type :message-id:cc:content-transfer-encoding:from:subject:date:to :x-mailer:sender; b=cYfNPH/C3vXVbSyKnYEVIUo3tu7NNbJbLE7O/b1kBIG79N/XfdWiYQF6hhLAgivAVE /bfPEA8O9F62Giutnp7FVu2VfRASnaENZDX7L7ivbZzlM2b3NsKEUeZIgoneE15q383U efJVDCMGnje4eRnJg36K+oynCvQttcE2xWpGQ= Received: by 10.181.37.11 with SMTP id p11mr10455646bkj.101.1220820816514; Sun, 07 Sep 2008 13:53:36 -0700 (PDT) Received: from ?10.10.10.6? ( [83.237.56.217]) by mx.google.com with ESMTPS id 21sm2595452fkx.13.2008.09.07.13.53.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 07 Sep 2008 13:53:35 -0700 (PDT) In-Reply-To: <20080907153151.310630@gmx.net> References: <20080907153151.310630@gmx.net> Mime-Version: 1.0 (Apple Message framework v753.1) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Yar Tikhiy Date: Mon, 8 Sep 2008 00:53:20 +0400 To: Olli Hauer X-Mailer: Apple Mail (2.753.1) Sender: Yar Tikhiy Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 20:53:38 -0000 On Sep 7, 2008, at 7:31 PM, Olli Hauer wrote: >> Looks like pfctl or pf itself added stateful semantics to my pf.conf >> that weren't there initially. Is this effect intended and, if so, >> how >> can I tell pf not to create states from certain rules? >> >> Thanks! And excuse me if I'm just missing something. >> >> Yar >> > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > www.freebsd.org/releases/7.0R/relnotes.html > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > changes) Thank you for pointing me out! > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 And in OpenBSD-current the manpage still reads: "...keep state must be specified explicitly to apply [stateful tracking] options to a rule." Perhaps we can fix this issue in our src tree and then send the patch upstream to the OpenBSD folks, can't we? In Subversion, the price of touching an imported file is not nearly as high as it used to be in CVS. > What is your reason for not using 'S/SA keep state' at this rules? I think I'm hitting some obscure issue with pf state synchronisation between two routers, so I'd like to prevent at least internal connections from being torn when a switch from the master to the backup router occurs via carp. The routers have a lot of vlan interfaces, and I'd like to limit stateful filtering to the uplink vlan only. > You can disable this with the 'no state' keyword I see now. Your help is much appreciated! Yar