From owner-freebsd-questions@FreeBSD.ORG Mon Jul 31 11:04:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 615F616A4DD for ; Mon, 31 Jul 2006 11:04:59 +0000 (UTC) (envelope-from levchenko.i@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ADBF43D95 for ; Mon, 31 Jul 2006 11:04:24 +0000 (GMT) (envelope-from levchenko.i@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so720611uge for ; Mon, 31 Jul 2006 04:04:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Hp6sx6vfsBf4q994SJY3qJAkGEqhNXda4g+oe1/bUHHGE6V6tMf7ZBSVBILI+cKVJTVE3JQOUNmptaa5WmzvmMum3t7RG/WURyImfLapRZLv3fyuYqRIamJmL3cU93h2O2MsvKe31i32mP9fOXgLkBlYkB6g9sfs3Ieji01L6m0= Received: by 10.67.119.13 with SMTP id w13mr2367030ugm; Mon, 31 Jul 2006 04:04:23 -0700 (PDT) Received: by 10.66.239.8 with HTTP; Mon, 31 Jul 2006 04:04:23 -0700 (PDT) Message-ID: Date: Mon, 31 Jul 2006 14:04:23 +0300 From: "Ivan Levchenko" To: "Darrin Chandler" In-Reply-To: <20060730223501.GE3123@jeeves.stilyagin.local> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060730212630.GC3123@jeeves.stilyagin.local> <20060730223501.GE3123@jeeves.stilyagin.local> Cc: freebsd-questions@freebsd.org Subject: Re: pf states X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jul 2006 11:04:59 -0000 Thanks a lot for the tips, will keep them in mind. I have seen those states on port 53 for udp. p.s. pf works like a charm.... just for the interest, i looked into /etc/rc.firewall and i was just terrified by it. pf looks like a breath of fresh air. On 7/31/06, Darrin Chandler wrote: > On Sun, Jul 30, 2006 at 09:33:15PM +0000, Ivan Levchenko wrote: > > Thanks, i have "some knowledge" of these things (at least i have been > > reading the man pages for pf and altq, and the openbsd pf faq =) .. > > > > like always ... there is still more reading ahead. > > > > thanks. > > The thing that I forgot to mention is that pf tries to keep state for > udp and icmp, even though these are not strictly stateful protocols. So > there are "state" entries that you will not find any information about > if you go read about icmp or udp. > > For instance, if you have a default "block in" rule, but a "pass out > icmp keep state" and you send out a ping (icmp echo-request) then pf > will create a state waiting for the echo reply and let it in. The same > goes for udp, which is often seen on port 53 for DNS. > > It's good that you want to know what is going on and are learning. Too > many people do not. > > -- > Darrin Chandler | Phoenix BSD Users Group > dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ > http://www.stilyagin.com/ | > -- Best Regards, Ivan Levchenko Manager of Programming department levchenko.i@gmail.com ilevchenko@geeksforless.net