Date: Mon, 31 Jul 2006 14:04:23 +0300 From: "Ivan Levchenko" <levchenko.i@gmail.com> To: "Darrin Chandler" <dwchandler@stilyagin.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf states Message-ID: <e39dd5bb0607310404h53851298wf07024b7b64f9622@mail.gmail.com> In-Reply-To: <20060730223501.GE3123@jeeves.stilyagin.local> References: <e39dd5bb0607301353y1fd79e6by7d2af3307bc02c40@mail.gmail.com> <20060730212630.GC3123@jeeves.stilyagin.local> <e39dd5bb0607301433n144787a7s66dd92dc8eb00b3f@mail.gmail.com> <20060730223501.GE3123@jeeves.stilyagin.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks a lot for the tips, will keep them in mind. I have seen those states on port 53 for udp. p.s. pf works like a charm.... just for the interest, i looked into /etc/rc.firewall and i was just terrified by it. pf looks like a breath of fresh air. On 7/31/06, Darrin Chandler <dwchandler@stilyagin.com> wrote: > On Sun, Jul 30, 2006 at 09:33:15PM +0000, Ivan Levchenko wrote: > > Thanks, i have "some knowledge" of these things (at least i have been > > reading the man pages for pf and altq, and the openbsd pf faq =) .. > > > > like always ... there is still more reading ahead. > > > > thanks. > > The thing that I forgot to mention is that pf tries to keep state for > udp and icmp, even though these are not strictly stateful protocols. So > there are "state" entries that you will not find any information about > if you go read about icmp or udp. > > For instance, if you have a default "block in" rule, but a "pass out > icmp keep state" and you send out a ping (icmp echo-request) then pf > will create a state waiting for the echo reply and let it in. The same > goes for udp, which is often seen on port 53 for DNS. > > It's good that you want to know what is going on and are learning. Too > many people do not. > > -- > Darrin Chandler | Phoenix BSD Users Group > dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ > http://www.stilyagin.com/ | > -- Best Regards, Ivan Levchenko Manager of Programming department levchenko.i@gmail.com ilevchenko@geeksforless.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e39dd5bb0607310404h53851298wf07024b7b64f9622>