pf - SCTP ports are not allowed in filter rules.
Kristof Provost
kp at FreeBSD.org
Sun Apr 25 08:08:55 UTC 2021
On 25 Apr 2021, at 7:56, Özkan KIRIK wrote:
> SCTP protocol header has src port and dst port fields. But pf doesn't
> supports.
>
> # echo "pass log (to pflog0) quick proto SCTP from any to any port
> 13873" | pfctl -f -
> stdin:1: port only applies to tcp/udp
> stdin:1: skipping rule due to errors
> stdin:1: rule expands to no valid combination
> pfctl: Syntax error in config file: pf rules not loaded
> #
>
> I tried to write same rule with ipfw. It works.
>
> # ipfw add 200 allow sctp from any to any 13873
> 00200 allow sctp from any to any 13873
>
> Do I have a mistake or filtering for SCTP ports are not supported by
> pf ?
> Is it possible to fix ?
>
Pf does not support SCTP in any meaningful way.
I have no plans to add SCTP support either. Note that doing so involves
a lot more than just teaching it to look at SCTP port numbers. Pf is a
/stateful/ firewall, so we’d have to teach it the entire SCTP protocol
lifecycle.
Best regards,
Kristof
More information about the freebsd-pf
mailing list