> Hi all, > > After upgrading a production machine from 6.x to 7.x, > I noticed that pf would create states from rules without > "keep state". IMSMR, it hadn't happened before, and > the pf.conf(5) manpage still says one has to specify > "keep state" explicitly for pf to create states. > > Just examined this issue more closely on a CURRENT machine. > If I load the following simple pf.conf file: > > > set skip on lo0 > > block return all > > pass out all > > pass in inet proto icmp all icmp-type echoreq > > pass in inet proto tcp from any to any port 22 > > > then I get these actual rules as shown by "pfctl -s rules": > > > block return all > > pass out all flags S/SA keep state > > pass in inet proto icmp all icmp-type echoreq keep state > > pass in inet proto tcp from any to any port = ssh flags S/SA keep > > state > > > Looks like pfctl or pf itself added stateful semantics to my pf.conf > that weren't there initially. Is this effect intended and, if so, how > can I tell pf not to create states from certain rules? > > Thanks! And excuse me if I'm just missing something. > > Yar >
Yes, it is not in man pf.conf(5) but in the Rel Notes http://www.freebsd.org/releases/7.0R/relnotes.html See also http://openbsd.org/faq/upgrade41.html (1.2. Operational changes) The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 What is your reason for not using 'S/SA keep state' at this rules? You can disable this with the 'no state' keyword Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
