Jeremy Chadwick wrote:
This isn't a reply to you (Doug), but -- do not blindly use "keep state"
everywhere!
Hard cases make for bad laws. I have got to point out the error in the
above statement.
There's been too many cases I've experienced where using "keep state"
blindly results in state-mismatch increasing at a very fast rate. When
I implemented this mentality on our production servers, our users
started pointing out that scp's between machines would randomly get
severed mis-stream, same with ssh sessions where large TCP windows were
used (such as doing 'dmesg' over and over):
http://lists.freebsd.org/pipermail/freebsd-pf/2008-January/004050.html
Which (taking a rough guess) looking at your rule set in the above has
very little to do with 'keep state' and a lot to do with 'modulate
state'. IIRC there is a filed bug which displays all of the
aforementioned symptoms when modulate state meets selective
acknowledgement (SACK). I'm sure Max has the gory detail, it may even be
fixed.
The "use keep state on everything!" attitude seems to stem from people
reading the OpenBSD pf.conf documentation, which states that as of
OpenBSD 4.1, "keep state" is implicit on every rule (meaning it's done
whether you say "keep state" or not). FreeBSD's pf isn't like this.
You miss out the most important bit of the new PF 4.1 state keeping
defaults, 'flags S/SA'.
Our cousins over the road in the OpenBSD neighbourhood have done this
precisely because of the issues caused in prior versions of PF by using
stateless rules and/or establishing TCP state on anything other than the
3 way handshake.
It gets more confusing when you consider the fact that even though UDP
and ICMP are stateless protocols, pf can keep track of their state too,
though I don't know if FreeBSD pf supports that (OpenBSD pf does).
This is not a flame, but if you really do not know that, you really
should not be publicly advocating a position on the basis of incomplete
information.
Regards
Greg
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
