Date: Mon, 8 Sep 2008 01:23:59 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Chris Smith <pf_free@chrissmith.org> Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? Message-ID: <0663003B-EF24-4A3C-BB2F-53C2ED99DC16@comp.chem.msu.su> In-Reply-To: <200809071709.06945.pf_free@chrissmith.org> References: <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su> <20080907153151.310630@gmx.net> <F200297C-7592-4FFA-B31D-6E203EBABF2D@comp.chem.msu.su> <200809071709.06945.pf_free@chrissmith.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 8, 2008, at 1:09 AM, Chris Smith wrote:
> On Sunday 07 September 2008 04:53:20 pm Yar Tikhiy wrote:
>> And in OpenBSD-current the manpage still reads: "...keep state
>> must be specified explicitly to apply [stateful tracking] options
>> to a rule."
>
> Not in the -current running here. The manpage reads:
> "A number of options related to stateful tracking can be applied on
> a per-rule
> basis. keep state, modulate state and synproxy state support these
> options,
> and keep state must be specified explicitly to apply options to a
> rule."
>
> And the "options" referred to are listed in that section, such as max,
> timeout, no-sync, sloppy, etc. If you're not applying the options,
> keep state
> is implied.
Sorry, I misread that paragraph. I also missed this:
pass The packet is passed; state is created state unless the
no state
option is specified.
By default pf(4) filters packets statefully; the first time a
packet
matches a pass rule, a state entry is created; for subsequent
packets the
filter checks whether the packet matches any state.
Excuse me for the noise.
Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0663003B-EF24-4A3C-BB2F-53C2ED99DC16>