From owner-freebsd-pf@FreeBSD.ORG  Mon Nov 16 10:59:33 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8E96F106566C
	for <freebsd-pf@freebsd.org>; Mon, 16 Nov 2009 10:59:33 +0000 (UTC)
	(envelope-from ask@develooper.com)
Received: from x8.develooper.com (mbox1.develooper.com [207.171.7.178])
	by mx1.freebsd.org (Postfix) with ESMTP id 5AD538FC13
	for <freebsd-pf@freebsd.org>; Mon, 16 Nov 2009 10:59:33 +0000 (UTC)
Received: (qmail 31412 invoked from network); 16 Nov 2009 10:59:32 -0000
Received: from cpe-75-83-150-233.socal.res.rr.com (HELO embla.bn.dev)
	(ask@mail.dev@75.83.150.233)
	by smtp.develooper.com with ESMTPA; 16 Nov 2009 10:59:32 -0000
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: =?iso-8859-1?Q?Ask_Bj=F8rn_Hansen?= <ask@develooper.com>
In-Reply-To: <20091116104413.GA32966@mx.hs.ntnu.edu.tw>
Date: Mon, 16 Nov 2009 02:59:32 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <6967A89E-CF55-4F65-972E-864AAA50ED32@develooper.com>
References: <B4BDA459-66C1-4FC5-8C27-E090C3FD85E7@develooper.com>
	<20091116104413.GA32966@mx.hs.ntnu.edu.tw>
To: Denny Lin <dennylin93@cnmc32.hs.ntnu.edu.tw>
X-Mailer: Apple Mail (2.1077)
Cc: freebsd-pf@freebsd.org
Subject: Re: Avoid keeping state of ntp requests
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 10:59:33 -0000


On Nov 16, 2009, at 2:44, Denny Lin wrote:

>=20
>> I'm trying to avoid keeping state of ntp requests to our ntp servers. =
 They are on UDP and numerous, so it's just wasting a lot of space in =
the state table.
>>=20
>> I've tried various variations of 'pass quick', but some rule keeps =
adding state for the port 123 requests.   I've put the full output of =
'pfctl -sa' here:
>=20
> Have you tried adding "no state" at the end of the rule? This way they
> aren't added to the state table.

Hi Denny,

Yes, indeed - that's what I'm doing; I should have made that explicit in =
the mail.

I've put the pfctl -vsr output up here:

	http://tmp.askask.com/2009/11/pfctl-vsr.txt

[ a little later ]

Aargh!   The problem was that the table in my rule was <ntp_servers>, =
but the table with the IP addresses was <ntp_hosts>!

Thanks for making me take a second[1] look.


 - ask


[1] That's a joke, more like look number 217!