Date: Sun, 7 Sep 2008 17:33:07 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: freebsd-pf@freebsd.org Subject: pf creating states by default now? Message-ID: <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su>
next in thread | raw e-mail | index | archive | help
Hi all, After upgrading a production machine from 6.x to 7.x, I noticed that pf would create states from rules without "keep state". IMSMR, it hadn't happened before, and the pf.conf(5) manpage still says one has to specify "keep state" explicitly for pf to create states. Just examined this issue more closely on a CURRENT machine. If I load the following simple pf.conf file: > set skip on lo0 > block return all > pass out all > pass in inet proto icmp all icmp-type echoreq > pass in inet proto tcp from any to any port 22 then I get these actual rules as shown by "pfctl -s rules": > block return all > pass out all flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in inet proto tcp from any to any port = ssh flags S/SA keep > state Looks like pfctl or pf itself added stateful semantics to my pf.conf that weren't there initially. Is this effect intended and, if so, how can I tell pf not to create states from certain rules? Thanks! And excuse me if I'm just missing something. Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A676B431-7DBD-49BA-AE4C-54786FB4833D>