You cannot track state of stateless protocols such as UDP.
> -----Original Message----- > From: Ansar Mohammed [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 07, 2008 4:54 PM > To: 'Jille' > Cc: 'Kevin K'; freebsd-pf@freebsd.org > Subject: RE: UDP weirdness > > But I thought pf would be tracking state? > Isnt that the whole point of statefull firewalls? > > > > > -----Original Message----- > > From: Jille [mailto:[EMAIL PROTECTED] > > Sent: May 7, 2008 4:50 PM > > To: Ansar Mohammed > > Cc: 'Kevin K'; freebsd-pf@freebsd.org > > Subject: Re: UDP weirdness > > > > > > > > Ansar Mohammed schreef: > > > Ok, so adding the line as you suggested worked. > > > Thanks Kevin. > > > > > > But why do I need to have both entries in for > > > > > > pass in proto udp from any to any port 53 > > > pass out proto udp from any to any port 53 > > > > > > what makes UDP so special? > > UDP is stateless, > > With TCP you've got an connection (identified by: local host:port and > > remote host:port) > > With UDP, well, you just trow the packages over the line, and hope > the > > is (still) someone on the other end. > > > > So the is (almost) no way to detect whether packets are responses to > > eachother > > > > -- Jille _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
