stateful rulesets with PF

[Kian Mohageri]

I've read a bit about how keeping state works with PF and written
rulesets which look logical to me, but present some problems
intermittently.  I believe it has to do with the creation of state
entries, and how PF judges what to do in any case.

> pass in quick on em0 from <trusted> to port any port = 3306 keep state

As I understood it, because I did not specify any flags such as S/SA, pf
will be able to pass packets starting mid-session (how or if it does
this is where I'm unclear).  I'm also unclear about how it will ever
judge whether or not to drop packets from <trusted> to port 3306.

Generally this rule (or a similar one) would work fine, however I run
into problems occasionally in which a client is unable to bypass the
firewall to connect to 3306 (mysql) on this server.  I notice it mostly
with PHP scripts which constantly query the database server.

My initial thought was to check the number of entries in the state table
which I figured might have been full, but it was nowhere near full.

Are there times when stateful rules cause problems like this?  It seems
like "flags S/SA keep state" should work just fine, which it *usually*
does...but thought I'd ask the experts anyway since I'm seeing problems.

Thanks,

Kian

-- 
Kian Mohageri
ResTek, Western Washington University
kian at restek.wwu.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060126/c8b3cbb6/signature.bin