Hi all,
After upgrading a production machine from 6.x to 7.x,
I noticed that pf would create states from rules without
"keep state". IMSMR, it hadn't happened before, and
the pf.conf(5) manpage still says one has to specify
"keep state" explicitly for pf to create states.
Just examined this issue more closely on a CURRENT machine.
If I load the following simple pf.conf file:
set skip on lo0
block return all
pass out all
pass in inet proto icmp all icmp-type echoreq
pass in inet proto tcp from any to any port 22
then I get these actual rules as shown by "pfctl -s rules":
block return all
pass out all flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = ssh flags S/SA keep
state
Looks like pfctl or pf itself added stateful semantics to my pf.conf
that weren't there initially. Is this effect intended and, if so, how
can I tell pf not to create states from certain rules?
Thanks! And excuse me if I'm just missing something.
Yar
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
