Date: Thu, 27 Feb 2020 16:16:46 -0800 From: Doug Hardie <bc979@lafn.org> To: RW <rwmaillists@googlemail.com>, RW via freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pf usage Message-ID: <24691027-DA63-4C4B-B851-4C5B3CE2336F@mail.sermon-archive.info> In-Reply-To: <20200227221511.641d9d91@gumby.homeunix.com> References: <A9F6E326-01C8-44C3-8BD0-D613E4EAFEED@mail.sermon-archive.info> <20200227221511.641d9d91@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 27 February 2020, at 14:15, RW via freebsd-questions = <freebsd-questions@freebsd.org> wrote: >=20 > On Wed, 26 Feb 2020 02:55:15 -0800 > Doug Hardie wrote: >=20 >> I just learned something quite unexpected about pf. Some time ago, >> the rules had to include "state" to have pf track state. However, >> later pf was changed to always assume "state" thus reducing the >> typing of the rules. The description of that change made me believe >> that the change was in pf. On one of my systems with two NICs and >> two different internet providers, I was using pftop to track usage. >> The only states I saw were for just one network. The other one never >> showed any states, but the packets were delivered properly. >>=20 >> I discovered that pf has to have a rule for each interface. I used >> "pass all" for the interface that needed no other rules. The change >> apparently was made to pfctl not pf. So the one interface had no >> rules, and hence there was nothing to tell pf to track state. >=20 > If your concern is to do with efficiency, there may an optimization > there. It's possible that pfctl sets a flag on interfaces that aren't > affected by the rule set, so that traffic can pass with low overheads > and without creating unnecessary state entries. >=20 > I've no idea whether this is correct, it's just speculation. But if it > is then forcing state entries would be counterproductive.=20 In this case, the volume of traffic is quite low. I am much more = concerned about monitoring the connections than in efficiency. I = suspect, though, that your speculation is correct. -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24691027-DA63-4C4B-B851-4C5B3CE2336F>