Stuart Henderson wrote:
On 2006/11/12 11:24, Gerald Holl wrote:
pass in on $ext_if proto tcp to ($ext_if) port 22
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
So long, from two of my PCs outside the network I can connect to the ssh
service but from exactly one PC it does not work because I get no
response back from the ssh server. If I add 'keep state' to the pass in
rule it works.
Why do I need 'keep state' although the pass out rule already defines
'modulate state'? As I mentioned above: it works for all of my PCs
outside except for one.
"modulate state" is creating state from a packet after the connection
setup, which doesn't have all the relevant information to validate the
sequence numbers correctly. You should use "flags S/SA keep state" or
"...modulate state" on all your rules unless there's a special reason
to do otherwise (quite unlikely).
Ok, I changed the above rules into following ones:
pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state
pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA
modulate state
With these rules, pf only keeps state when the SYN flag is set, is that
right?
cheers,
Gerald
--
http://holl.co.at
