Date: Mon, 8 Sep 2008 00:53:20 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Olli Hauer <ohauer@gmx.de> Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? Message-ID: <F200297C-7592-4FFA-B31D-6E203EBABF2D@comp.chem.msu.su> In-Reply-To: <20080907153151.310630@gmx.net> References: <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su> <20080907153151.310630@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 7, 2008, at 7:31 PM, Olli Hauer wrote: >> Looks like pfctl or pf itself added stateful semantics to my pf.conf >> that weren't there initially. Is this effect intended and, if so, >> how >> can I tell pf not to create states from certain rules? >> >> Thanks! And excuse me if I'm just missing something. >> >> Yar >> > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > www.freebsd.org/releases/7.0R/relnotes.html > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > changes) Thank you for pointing me out! > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 And in OpenBSD-current the manpage still reads: "...keep state must be specified explicitly to apply [stateful tracking] options to a rule." Perhaps we can fix this issue in our src tree and then send the patch upstream to the OpenBSD folks, can't we? In Subversion, the price of touching an imported file is not nearly as high as it used to be in CVS. > What is your reason for not using 'S/SA keep state' at this rules? I think I'm hitting some obscure issue with pf state synchronisation between two routers, so I'd like to prevent at least internal connections from being torn when a switch from the master to the backup router occurs via carp. The routers have a lot of vlan interfaces, and I'd like to limit stateful filtering to the uplink vlan only. > You can disable this with the 'no state' keyword I see now. Your help is much appreciated! Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F200297C-7592-4FFA-B31D-6E203EBABF2D>