pf creating states by default now?
Olli Hauer
ohauer at gmx.de
Sun Sep 7 15:58:35 UTC 2008
> Hi all,
>
> After upgrading a production machine from 6.x to 7.x,
> I noticed that pf would create states from rules without
> "keep state". IMSMR, it hadn't happened before, and
> the pf.conf(5) manpage still says one has to specify
> "keep state" explicitly for pf to create states.
>
> Just examined this issue more closely on a CURRENT machine.
> If I load the following simple pf.conf file:
>
> > set skip on lo0
> > block return all
> > pass out all
> > pass in inet proto icmp all icmp-type echoreq
> > pass in inet proto tcp from any to any port 22
>
>
> then I get these actual rules as shown by "pfctl -s rules":
>
> > block return all
> > pass out all flags S/SA keep state
> > pass in inet proto icmp all icmp-type echoreq keep state
> > pass in inet proto tcp from any to any port = ssh flags S/SA keep
> > state
>
>
> Looks like pfctl or pf itself added stateful semantics to my pf.conf
> that weren't there initially. Is this effect intended and, if so, how
> can I tell pf not to create states from certain rules?
>
> Thanks! And excuse me if I'm just missing something.
>
> Yar
>
Yes, it is not in man pf.conf(5) but in the Rel Notes http://www.freebsd.org/releases/7.0R/relnotes.html
See also http://openbsd.org/faq/upgrade41.html (1.2. Operational changes)
The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3
What is your reason for not using 'S/SA keep state' at this rules?
You can disable this with the 'no state' keyword
Regards,
olli
--
Psssst! Schon das coole Video vom GMX MultiMessenger gesehen?
Der Eine für Alle: http://www.gmx.net/de/go/messenger03
More information about the freebsd-pf
mailing list