Date: Tue, 3 Dec 2019 16:49:11 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203094911.GF40372@admin.sibptus.ru> In-Reply-To: <aefb012b-970d-9c64-4f5d-31133b2b68ce@pp.dyndns.biz> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> <20191203034903.GA33853@admin.sibptus.ru> <aefb012b-970d-9c64-4f5d-31133b2b68ce@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
--fwqqG+mf3f7vyBCB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Morgan Wesstr=F6m wrote: > > Do you mean to say that a state checks not only address:port pairs, but > > also TCP flags? This is a new notion for me. What would be a "pass" rule > > to create a "catch all" state with no regard for TCP flags? >=20 > For TCP it checks the flags when the state is created. From man pf.conf Forget TCP for now, let's explain the ICMP ping case I posted earlier. [dd] > > I'm afraid this is an incorrect assumption. According to man pf.conf, by > > default "state-policy=3Dfloating" and state is not bound to interfaces. > > The output of "pfctl -s state" does not indicate any interfaces either, > > just protocols, addresses and ports. > >=20 >=20 > This is weird. My state tables clearly shows the interface name first on= =20 > the line instead of "all" but I use state-policy if-bound. I have no=20 > experience with floating mode, thus my assumptions earlier. I apologize= =20 > if I was wrong. You need not apologize, my lab runs a very basic pf configuration where state-policy=3Dfloating by default. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --fwqqG+mf3f7vyBCB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5i+XAAoJEA2k8lmbXsY08UcIAKL+1MJygcnbLik75fAwKl9B A1bk/xIXf89HJcDYGYgTia7Jz3caAVAJA20xzHVivuZRKLPczxNtKlqrPnRpTEi/ sttdywqck5m3NVafdEYZ2wasX+JaVrvDrn9MDvd2Z09s3QA8NgnuYVRB2sjWXrwf TQZ3d9rHw7fZdjz0ILdJbt90ARnlAHDD0gKXbKmWcor2+bOCdlMCIqAlYGcYI0xv Mno1YBUFWhR7qzYGTs1gSYVi2U2iwOYSzCwPau5zuJZS7hyOWgKGhYKBtX362BPf WZl+OvvI+FxGxAai68r2BeMfsOiRftxhBPsa5lMqfoCcnMkXTOVm9i3HhlqlNvA= =fJDX -----END PGP SIGNATURE----- --fwqqG+mf3f7vyBCB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191203094911.GF40372>