pf states
Ivan Levchenko
levchenko.i at gmail.com
Mon Jul 31 11:04:59 UTC 2006
Thanks a lot for the tips, will keep them in mind.
I have seen those states on port 53 for udp.
p.s. pf works like a charm.... just for the interest, i looked into
/etc/rc.firewall and i was just terrified by it. pf looks like a
breath of fresh air.
On 7/31/06, Darrin Chandler <dwchandler at stilyagin.com> wrote:
> On Sun, Jul 30, 2006 at 09:33:15PM +0000, Ivan Levchenko wrote:
> > Thanks, i have "some knowledge" of these things (at least i have been
> > reading the man pages for pf and altq, and the openbsd pf faq =) ..
> >
> > like always ... there is still more reading ahead.
> >
> > thanks.
>
> The thing that I forgot to mention is that pf tries to keep state for
> udp and icmp, even though these are not strictly stateful protocols. So
> there are "state" entries that you will not find any information about
> if you go read about icmp or udp.
>
> For instance, if you have a default "block in" rule, but a "pass out
> icmp keep state" and you send out a ping (icmp echo-request) then pf
> will create a state waiting for the echo reply and let it in. The same
> goes for udp, which is often seen on port 53 for DNS.
>
> It's good that you want to know what is going on and are learning. Too
> many people do not.
>
> --
> Darrin Chandler | Phoenix BSD Users Group
> dwchandler at stilyagin.com | http://bsd.phoenix.az.us/
> http://www.stilyagin.com/ |
>
--
Best Regards,
Ivan Levchenko
Manager of Programming department
levchenko.i at gmail.com
ilevchenko at geeksforless.net
More information about the freebsd-questions
mailing list