On Thursday 08 November 2007, Dag-Erling Smørgrav wrote: > Given appropriate definitions for $eth and $lan, you'd expect the > following rule to simply pass all traffic originating from and destined > for the LAN: > > pass on $eth from $lan to $lan > > However, in pf, "keep state" is *implicit* (why?), so you'd expect it > to turn into something like this: > > pass on $eth from $lan to $lan keep state > > but what you actually get is this: > > pass on $eth from $lan to $lan flags S/SA keep state > > which only matches TCP handshakes, so your UDP streams are screwed.
I don't think this is true. It will match any protocol, but if it is tcp
it will make sure it's the initial SYN. This is necessary in order to
have the state tracking work with window scaling etc.
In my quick testing, icmp and udp both match the expanded rule.
> Workaround: explicitly specify TCP and UDP, causing pf to split the
> rule into two:
>
> pass on $eth inet proto { tcp, udp } from $lan to $lan
>
> becomes
>
> pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
> pass on $eth inet proto udp from $lan to $lan keep state
>
> There does not seem to be any way to turn off this misguided rewriting
> of firewall rules.
--
/"\ Best regards, | [EMAIL PROTECTED]
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED]
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
signature.asc
Description: This is a digitally signed message part.
