Date: Sun, 07 Sep 2008 23:31:43 +0200 From: "Olli Hauer" <ohauer@gmx.de> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: freebsd-pf@freebsd.org Subject: Re: pf creating states by default now? Message-ID: <20080907213143.15910@gmx.net> In-Reply-To: <F200297C-7592-4FFA-B31D-6E203EBABF2D@comp.chem.msu.su> References: <A676B431-7DBD-49BA-AE4C-54786FB4833D@comp.chem.msu.su> <20080907153151.310630@gmx.net> <F200297C-7592-4FFA-B31D-6E203EBABF2D@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
> >> Looks like pfctl or pf itself added stateful semantics to my pf.conf > >> that weren't there initially. Is this effect intended and, if so, > >> how > >> can I tell pf not to create states from certain rules? > >> > >> Thanks! And excuse me if I'm just missing something. > >> > >> Yar > >> > > > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > > www.freebsd.org/releases/7.0R/relnotes.html > > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > > changes) > > Thank you for pointing me out! > > > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 > > And in OpenBSD-current the manpage still reads: "...keep state > must be specified explicitly to apply [stateful tracking] options > to a rule." > > Perhaps we can fix this issue in our src tree and then send the > patch upstream to the OpenBSD folks, can't we? In Subversion, the > price of touching an imported file is not nearly as high as it used > to be in CVS. > Yes, parts of the document shoud be updated. > > What is your reason for not using 'S/SA keep state' at this rules? > > I think I'm hitting some obscure issue with pf state synchronisation > between two routers, so I'd like to prevent at least internal > connections > from being torn when a switch from the master to the backup router > occurs > via carp. The routers have a lot of vlan interfaces, and I'd like to > limit > stateful filtering to the uplink vlan only. > > > You can disable this with the 'no state' keyword > > I see now. Your help is much appreciated! > > Yar Hm, maybe something like this can be your solution (example for ssh traffic) # no state rule to manage the router interface (not carp/vlans/cloned interfaces) pass in quick inet proto tcp from $internal to $if_base:0 port 22 no state # all other ssh traffic pass in inet proto tcp from any to any port 22 Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080907213143.15910>