On 2006/11/12 15:40, Gerald Holl wrote:
> >"modulate state" is creating state from a packet after the connection
> >setup, which doesn't have all the relevant information to validate the
> >sequence numbers correctly. You should use "flags S/SA keep state" or
> >"...modulate state" on all your rules unless there's a special reason
> >to do otherwise (quite unlikely).
>
> Ok, I changed the above rules into following ones:
>
> pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state
> pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA
> modulate state
> With these rules, pf only keeps state when the SYN flag is set, is that
> right?
Yes, exactly. Other packets (those which don't only have SYN out of
SYN+ACK) don't create state at all, but they're allowed through when
they match an existing state (src/dest port+address, as you'd expect,
and sequence numbers must also be within a reasonable window).
I think one of the main reasons people used to avoid keeping state
was so that a newly-booted firewall could synchronize with existing
packet flows - say, if you want to replace one firewall with a new
one - but we have CARP/PFSYNC for that now so it's less important).
Generally keeping state saves cpu time, and increases security.
