pf creating states by default now?
Yar Tikhiy
yar at comp.chem.msu.su
Sun Sep 7 13:58:18 UTC 2008
Hi all,
After upgrading a production machine from 6.x to 7.x,
I noticed that pf would create states from rules without
"keep state". IMSMR, it hadn't happened before, and
the pf.conf(5) manpage still says one has to specify
"keep state" explicitly for pf to create states.
Just examined this issue more closely on a CURRENT machine.
If I load the following simple pf.conf file:
> set skip on lo0
> block return all
> pass out all
> pass in inet proto icmp all icmp-type echoreq
> pass in inet proto tcp from any to any port 22
then I get these actual rules as shown by "pfctl -s rules":
> block return all
> pass out all flags S/SA keep state
> pass in inet proto icmp all icmp-type echoreq keep state
> pass in inet proto tcp from any to any port = ssh flags S/SA keep
> state
Looks like pfctl or pf itself added stateful semantics to my pf.conf
that weren't there initially. Is this effect intended and, if so, how
can I tell pf not to create states from certain rules?
Thanks! And excuse me if I'm just missing something.
Yar
More information about the freebsd-pf
mailing list