Mark Pagulayan wrote:
OS: FreeBSD 7.0-RELEASE
Please correct me if I am wrong that PF 4.1 in FreeBSD 7.0 automatically
inserts 'Flags S/SA' to rules?
this is correct.
The problem is that when it comes to this rule:
pass in quick on $int_if
after loading to pf
pass in quick on em0 flags S/SA keep state
The way I see this is that this rule would be applied to udp traffic as
well which will be dropped/blocked because flags only work for tcp and
this might be the cause of state-mismatches that I see in the table -
state-mismatch 11577272 48.7/s
you are misinterpreting. Pf just does the right thing in most cases. your
rule "pass in quick on $int_if" is actually interpreted as the following 3
rules:
pass in quick on em0 proto tcp flags S/SA keep state
pass in quick on em0 proto udp keep state
pass in quick on em0 prote icmp keep state
How can we prevent pf from loading the flags S/SA in the rules
automatically?
add the phrase "flags any".
you must also add "no state" now if you do not want stateful filtering
for some reason.
Also what is the effect of this on the block rule?
'block in log on $ext_if all'
'block return out log on $ext_if all'
you shouldn't have to worry about it. in almost all cases pf will do what
you mean with that.
tom
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
