Date: Mon, 06 Oct 2008 17:02:45 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: "James Seward" <jamesoff@gmail.com> Cc: Jeremy Chadwick <koitsu@freebsd.org>, Scott Bennett <bennett@cs.niu.edu>, freebsd-questions@freebsd.org Subject: Re: pf vs. RST attack question Message-ID: <87zllhrfcq.fsf@kobe.laptop> In-Reply-To: <720051dc0810060644n14495ee4k8f2942d16e634c78@mail.gmail.com> (James Seward's message of "Mon, 6 Oct 2008 14:44:54 %2B0100") References: <200810051753.m95Hr3N5014872@mp.cs.niu.edu> <20081006003601.GA5733@icarus.home.lan> <48E9BBED.7090607@infracaninophile.co.uk> <20081006072611.GA13147@icarus.home.lan> <871vyuj6ul.fsf@kobe.laptop> <20081006115101.GA19442@icarus.home.lan> <720051dc0810060644n14495ee4k8f2942d16e634c78@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 6 Oct 2008 14:44:54 +0100, "James Seward" <jamesoff@gmail.com> wrote: > On Mon, Oct 6, 2008 at 12:51 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote: >> I've never gotten a definite answer as to what happens if you use "flags >> S/SA" on a rule that is for UDP, since UDP is a non-negotiated protocol. >> That's why I split them up per protocol on RELENG_6 boxes. > > It intelligently ignores it: > % pfctl -vn -f- > pass out proto { tcp udp } all flags S/SA keep state > > Output: > pass out proto tcp all flags S/SA keep state > pass out proto udp all keep state The ruleset optimizer displays something similar too: > pfctl -sr -o basic shows the same pair of rules :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87zllhrfcq.fsf>