On Sep 7, 2008, at 7:31 PM, Olli Hauer wrote:
Looks like pfctl or pf itself added stateful semantics to my pf.conf
that weren't there initially. Is this effect intended and, if so,
how
can I tell pf not to create states from certain rules?
Thanks! And excuse me if I'm just missing something.
Yar
Yes, it is not in man pf.conf(5) but in the Rel Notes http://
www.freebsd.org/releases/7.0R/relnotes.html
See also http://openbsd.org/faq/upgrade41.html (1.2. Operational
changes)
Thank you for pointing me out!
The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/
man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3
And in OpenBSD-current the manpage still reads: "...keep state
must be specified explicitly to apply [stateful tracking] options
to a rule."
Perhaps we can fix this issue in our src tree and then send the
patch upstream to the OpenBSD folks, can't we? In Subversion, the
price of touching an imported file is not nearly as high as it used
to be in CVS.
What is your reason for not using 'S/SA keep state' at this rules?
I think I'm hitting some obscure issue with pf state synchronisation
between two routers, so I'd like to prevent at least internal
connections
from being torn when a switch from the master to the backup router
occurs
via carp. The routers have a lot of vlan interfaces, and I'd like to
limit
stateful filtering to the uplink vlan only.
You can disable this with the 'no state' keyword
I see now. Your help is much appreciated!
Yar
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
