Morgan Wesström wrote: > > Do you mean to say that a state checks not only address:port pairs, but > > also TCP flags? This is a new notion for me. What would be a "pass" rule > > to create a "catch all" state with no regard for TCP flags? > > For TCP it checks the flags when the state is created. From man pf.conf
Forget TCP for now, let's explain the ICMP ping case I posted earlier. [dd] > > I'm afraid this is an incorrect assumption. According to man pf.conf, by > > default "state-policy=floating" and state is not bound to interfaces. > > The output of "pfctl -s state" does not indicate any interfaces either, > > just protocols, addresses and ports. > > > > This is weird. My state tables clearly shows the interface name first on > the line instead of "all" but I use state-policy if-bound. I have no > experience with floating mode, thus my assumptions earlier. I apologize > if I was wrong. You need not apologize, my lab runs a very basic pf configuration where state-policy=floating by default. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
