> >> Looks like pfctl or pf itself added stateful semantics to my pf.conf > >> that weren't there initially. Is this effect intended and, if so, > >> how > >> can I tell pf not to create states from certain rules? > >> > >> Thanks! And excuse me if I'm just missing something. > >> > >> Yar > >> > > > > Yes, it is not in man pf.conf(5) but in the Rel Notes http:// > > www.freebsd.org/releases/7.0R/relnotes.html > > See also http://openbsd.org/faq/upgrade41.html (1.2. Operational > > changes) > > Thank you for pointing me out! > > > The man page match the OpenBSD one http://www.openbsd.org/cgi-bin/ > > man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.3 > > And in OpenBSD-current the manpage still reads: "...keep state > must be specified explicitly to apply [stateful tracking] options > to a rule." > > Perhaps we can fix this issue in our src tree and then send the > patch upstream to the OpenBSD folks, can't we? In Subversion, the > price of touching an imported file is not nearly as high as it used > to be in CVS. >
Yes, parts of the document shoud be updated. > > What is your reason for not using 'S/SA keep state' at this rules? > > I think I'm hitting some obscure issue with pf state synchronisation > between two routers, so I'd like to prevent at least internal > connections > from being torn when a switch from the master to the backup router > occurs > via carp. The routers have a lot of vlan interfaces, and I'd like to > limit > stateful filtering to the uplink vlan only. > > > You can disable this with the 'no state' keyword > > I see now. Your help is much appreciated! > > Yar Hm, maybe something like this can be your solution (example for ssh traffic) # no state rule to manage the router interface (not carp/vlans/cloned interfaces) pass in quick inet proto tcp from $internal to $if_base:0 port 22 no state # all other ssh traffic pass in inet proto tcp from any to any port 22 Regards, olli -- Psssst! Schon das coole Video vom GMX MultiMessenger gesehen? Der Eine für Alle: http://www.gmx.net/de/go/messenger03 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
