Re: PF state problem

2006-11-14 Thread Garance A Drosihn
At 3:18 PM + 11/12/06, Stuart Henderson wrote: Yes, exactly. Other packets (those which don't only have SYN out of SYN+ACK) don't create state at all, but they're allowed through when they match an existing state (src/dest port+address, as you'd expect, and sequence numbers must also be with

Re: PF state problem

2006-11-12 Thread Berk D. Demir
Ok, I changed the above rules into following ones: pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA modulate state With these rules, pf only keeps state when the SYN flag is set, is that right?

Re: PF state problem

2006-11-12 Thread Stuart Henderson
On 2006/11/12 15:40, Gerald Holl wrote: > >"modulate state" is creating state from a packet after the connection > >setup, which doesn't have all the relevant information to validate the > >sequence numbers correctly. You should use "flags S/SA keep state" or > >"...modulate state" on all your rule

Re: PF state problem

2006-11-12 Thread Gerald Holl
Stuart Henderson wrote: On 2006/11/12 11:24, Gerald Holl wrote: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC

Re: PF state problem

2006-11-12 Thread Martin Toft
Martin Toft wrote: Since the OP is using 4.0, this might be of interest: "flags S/SA keep state" is default [0]. [0] http://archives.neohapsis.com/archives/openbsd/2006-10/0549.html Hmm, sorry, I didn't read it right. It's only in -current. Regards, Martin

Re: PF state problem

2006-11-12 Thread Martin Toft
Stuart Henderson wrote: On 2006/11/12 11:24, Gerald Holl wrote: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC

Re: PF state problem

2006-11-12 Thread Stuart Henderson
On 2006/11/12 11:24, Gerald Holl wrote: > pass in on $ext_if proto tcp to ($ext_if) port 22 > pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state > > So long, from two of my PCs outside the network I can connect to the ssh > service but from exactly one PC it does not work