Do you mean to say that a state checks not only address:port pairs, but
also TCP flags? This is a new notion for me. What would be a "pass" rule
to create a "catch all" state with no regard for TCP flags?

For TCP it checks the flags when the state is created. From man pf.conf

     flags <a> /<b> | /<b> | any
This rule only applies to TCP packets that have the flags <a> set
           out of set <b>.  Flags not specified in <b> are ignored.  For
stateful connections, the default is flags S/SA. To indicate that flags should not be checked at all, specify flags any. The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.


Afaik a pass rule only creates state on the interface it
monitors.

I'm afraid this is an incorrect assumption.

I did not recreate your setup to check this though. But this
is what should happen:

With rule 2 remarked:

- Your initial telnet SYN will create state on $inside through rule 3.
- There should be no state created on $dmz.

I'm afraid this is an incorrect assumption. According to man pf.conf, by
default "state-policy=floating" and state is not bound to interfaces.
The output of "pfctl -s state" does not indicate any interfaces either,
just protocols, addresses and ports.


This is weird. My state tables clearly shows the interface name first on the line instead of "all" but I use state-policy if-bound. I have no experience with floating mode, thus my assumptions earlier. I apologize if I was wrong.

/Morgan

_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to