From owner-freebsd-pf@FreeBSD.ORG Wed May 14 23:34:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 143E81065673 for ; Wed, 14 May 2008 23:34:52 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id C4DEC8FC26 for ; Wed, 14 May 2008 23:34:51 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m4ENYP6W078230; Wed, 14 May 2008 19:34:26 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:cc:subject:references:in-reply-to; b=CwfQkWcaLAvZwsAp/iz7aTPPtPr5rApuhfM1YS+eGle1ik/hfxAHYnX/iQL7lcT5N W+uyiVVvk2Ud1XjKkJlEA== Message-ID: <482B7701.4020901@uffner.com> Date: Wed, 14 May 2008 19:34:25 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080430 SeaMonkey/1.1.9 MIME-Version: 1.0 To: Mark Pagulayan References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 14 May 2008 19:34:26 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/7115/Tue May 13 17:19:43 2008 on eris.uffner.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2008 23:34:52 -0000 Mark Pagulayan wrote: > OS: FreeBSD 7.0-RELEASE > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? this is correct. > The problem is that when it comes to this rule: > > pass in quick on $int_if > > after loading to pf > > pass in quick on em0 flags S/SA keep state > > The way I see this is that this rule would be applied to udp traffic as > well which will be dropped/blocked because flags only work for tcp and > this might be the cause of state-mismatches that I see in the table - > > state-mismatch 11577272 48.7/s you are misinterpreting. Pf just does the right thing in most cases. your rule "pass in quick on $int_if" is actually interpreted as the following 3 rules: pass in quick on em0 proto tcp flags S/SA keep state pass in quick on em0 proto udp keep state pass in quick on em0 prote icmp keep state > > How can we prevent pf from loading the flags S/SA in the rules > automatically? add the phrase "flags any". you must also add "no state" now if you do not want stateful filtering for some reason. > Also what is the effect of this on the block rule? > > 'block in log on $ext_if all' > 'block return out log on $ext_if all' you shouldn't have to worry about it. in almost all cases pf will do what you mean with that. tom