UDP weirdness
Jeremy Chadwick
koitsu at freebsd.org
Wed May 7 21:43:52 UTC 2008
On Wed, May 07, 2008 at 04:54:22PM -0400, Ansar Mohammed wrote:
> But I thought pf would be tracking state?
> Isnt that the whole point of statefull firewalls?
UDP is stateless, however pf still tracks the "state" in the sense that
it knows when there's an outbound or inbound initial packet for UDP,
thus creates a "state" for it. It can do the same with ICMP. I believe
the teardown/state removal is based on a timeout (of when it last sees
packets matching that src/dst IP and port).
Keep in mind that if you're using RELENG_6, you'll need "keep state" on
those pass in/pass out rules you used. If you're using RELENG_7, "keep
state" is implicit, so you won't need to specify it in your config.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list