Do you mean to say that a state checks not only address:port pairs, but
also TCP flags? This is a new notion for me. What would be a "pass" rule
to create a "catch all" state with no regard for TCP flags?
For TCP it checks the flags when the state is created. From man pf.conf
flags <a> /<b> | /<b> | any
This rule only applies to TCP packets that have the flags
<a> set
out of set <b>. Flags not specified in <b> are ignored. For
stateful connections, the default is flags S/SA. To
indicate that
flags should not be checked at all, specify flags any. The
flags
are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and
C(W)R.
Afaik a pass rule only creates state on the interface it
monitors.
I'm afraid this is an incorrect assumption.
I did not recreate your setup to check this though. But this
is what should happen:
With rule 2 remarked:
- Your initial telnet SYN will create state on $inside through rule 3.
- There should be no state created on $dmz.
I'm afraid this is an incorrect assumption. According to man pf.conf, by
default "state-policy=floating" and state is not bound to interfaces.
The output of "pfctl -s state" does not indicate any interfaces either,
just protocols, addresses and ports.
This is weird. My state tables clearly shows the interface name first on
the line instead of "all" but I use state-policy if-bound. I have no
experience with floating mode, thus my assumptions earlier. I apologize
if I was wrong.
/Morgan
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"