Date: Wed, 14 May 2008 19:34:25 -0400 From: Tom Uffner <tom@uffner.com> To: Mark Pagulayan <m.pagulayan@auckland.ac.nz> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Message-ID: <482B7701.4020901@uffner.com> In-Reply-To: <C65291A68BAF57499B18564A1EE4A761370E38@UXCHANGE1.UoA.auckland.ac.nz> References: <C65291A68BAF57499B18564A1EE4A761370E38@UXCHANGE1.UoA.auckland.ac.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Pagulayan wrote: > OS: FreeBSD 7.0-RELEASE > > Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically > inserts 'Flags S/SA' to rules? this is correct. > The problem is that when it comes to this rule: > > pass in quick on $int_if > > after loading to pf > > pass in quick on em0 flags S/SA keep state > > The way I see this is that this rule would be applied to udp traffic as > well which will be dropped/blocked because flags only work for tcp and > this might be the cause of state-mismatches that I see in the table - > > state-mismatch 11577272 48.7/s you are misinterpreting. Pf just does the right thing in most cases. your rule "pass in quick on $int_if" is actually interpreted as the following 3 rules: pass in quick on em0 proto tcp flags S/SA keep state pass in quick on em0 proto udp keep state pass in quick on em0 prote icmp keep state > > How can we prevent pf from loading the flags S/SA in the rules > automatically? add the phrase "flags any". you must also add "no state" now if you do not want stateful filtering for some reason. > Also what is the effect of this on the block rule? > > 'block in log on $ext_if all' > 'block return out log on $ext_if all' you shouldn't have to worry about it. in almost all cases pf will do what you mean with that. tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482B7701.4020901>