PF and State Table

[Jeremy Chadwick]

On Wed, Apr 02, 2008 at 09:17:07PM -0700, Kian Mohageri wrote:
> On Wed, Apr 2, 2008 at 1:33 PM, Mark Pagulayan
> <m.pagulayan at auckland.ac.nz> wrote:
> > Hi,
> >
> >  What pf version are you using? Correct me if I am wrong guys, on PF4.1
> >  which a the release version of pf on freebsd 7.0 when you specify keep
> >  state the flag S/A is implied?
> >
> 
> Correct, and if you leave out 'keep state' entirely, it will apply
> 'flags S/SA keep state'
> 
> e.g.,
> 
> kian at alvis:~
> > cat pf.conf
> pass on em0
> 
> kian at alvis:~
> > pfctl -vnf pf.conf
> pass on em0 all flags S/SA keep state

I'd like to know what exactly happens to UDP and ICMP packets when
hitting that rule, since UDP and ICMP don't have such flags.  The
documentation doesn't really discuss what happens in this case.

This is why I solicit having 3 separate rules for each protocol (TCP =
flags S/SA keep state, UDP = keep state, ICMP = keep state).

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |