Date: Thu, 16 Oct 2008 00:19:48 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Jon Radel <jon@radel.com> Cc: Peter Clark <clarkp@mtmary.edu>, freebsd-pf@freebsd.org, =?ISO-8859-1?Q?Ermal_Lu=E7i?= <ermal.luci@gmail.com> Subject: Re: PF syntax error Message-ID: <48F66C84.3030505@quip.cz> In-Reply-To: <48F65AD9.808@radel.com> References: <48F621C2.8080405@mtmary.edu> <20081015202725.GA88225@icarus.home.lan> <9a542da30810151332v54c6a9a8jb00a2afbd8214b26@mail.gmail.com> <48F65AD9.808@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Radel wrote: > Ermal Luçi wrote: > >>On Wed, Oct 15, 2008 at 10:27 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote: >> >>>On Wed, Oct 15, 2008 at 12:00:50PM -0500, Peter Clark wrote: >>> >>>>Hello, >>>> >>>>I am not sure if I should be here or over at a pf specific list but here >>>>is my problem. >>> >>>I've changed the CC list, so this will now go to the freebsd-pf mailing >>>list instead. >>> >>> >>>>I am trying my hand at pf on a 7.0-p5 RELEASE box and one rule is giving >>>>me problems. >>>> >>>>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>>> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush >>>>global) >> >>Is it a copy-paste error or you forgot keep state in there? >>It should look >>pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA \ >>keep state(max-src-conn 15, max-src-conn-rate 5/3, overload >><bruteforce> flush global) > > > And here I thought "keep state" was the default in the pf shipped with > FreeBSD 7.0.... > > Actually, it is, as is "flags S/SA" on TCP connections. Those defaults > came in with the PF from OpenBSD 4.1, which is what is used in FreeBSD 7.0. Yes, keep state is the default, but syntax for source tracking required these explicitly as stated in man pf.conf: ------------- man pf.conf -------------- STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per rule basis. keep state, modulate state and synproxy state support these options, and *keep state must be specified explicitly* to apply options to a rule. ------------- man pf.conf -------------- Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48F66C84.3030505>