On Wed, Mar 26, 2008 at 4:42 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > Now the opposite, where some host on the Internet attempts to connect to > 4.4.4.4 on port 22: > > somehost -> pfbox = TCP flags SYN set, ACK not set > = PASS: matches rule #4 > pfbox -> somehost = TCP flags: SYN set, ACK set > = PASS: matches rule #2 > somehost -> pfbox = TCP flags SYN not set, ACK set > = PASS: matches rule #4 > > A state-table entry won't be created for this one, since rule #1 > specifies "flags S/SA" (won't match SYN+ACK both set). > > If one was to add "keep state" to rule #4 (RELENG_6), or use RELENG_7 > (where "keep state" is implied) and some host on the Internet attempts > to connect to 4.4.4.4 on port 22, we should see: > > somehost -> pfbox = TCP flags SYN set, ACK not set > = PASS: matches rule #4 > = pf creates state-table entry for tracking > pfbox -> somehost = TCP flags: SYN set, ACK set > = PASS: has state-table entry > somehost -> pfbox = TCP flags SYN not set, ACK set > = PASS: has state-table entry > > Do we agree? > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > Seems to be OK now. Sorry, I should have made it more clearer in the previous message; I meant, and should've said, "SYN-ACK" i.e. the response packet from host. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
