pf's states
Victor Sudakov
vas at sibptus.ru
Tue Dec 3 09:49:13 UTC 2019
Morgan Wesström wrote:
> > Do you mean to say that a state checks not only address:port pairs, but
> > also TCP flags? This is a new notion for me. What would be a "pass" rule
> > to create a "catch all" state with no regard for TCP flags?
>
> For TCP it checks the flags when the state is created. From man pf.conf
Forget TCP for now, let's explain the ICMP ping case I posted earlier.
[dd]
> > I'm afraid this is an incorrect assumption. According to man pf.conf, by
> > default "state-policy=floating" and state is not bound to interfaces.
> > The output of "pfctl -s state" does not indicate any interfaces either,
> > just protocols, addresses and ports.
> >
>
> This is weird. My state tables clearly shows the interface name first on
> the line instead of "all" but I use state-policy if-bound. I have no
> experience with floating mode, thus my assumptions earlier. I apologize
> if I was wrong.
You need not apologize, my lab runs a very basic pf configuration where
state-policy=floating by default.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191203/52225f7a/attachment.sig>
More information about the freebsd-pf
mailing list