On 2018-10-22, Daniel Corbe wrote:
> at 10:04 AM, Frédéric Goudal wrote:
>
>> - is there any reason to add keep state to a pass rule ?
>
> 1) UDP rules don’t keep state by default.
That's not correct.
> 2) Even for TCP connections, it’s better to explicitly throw a keep state
> on there for
It is due to history.
ipf didn't have stateful, at all.
the first version of pf didn't have stateful, but it was incrementally
added starting after 1 year over a period of 3 years. during development,
it was not the default.
other projects started adopting pf. (here is where it ges ugly)
Along
Thanks for your answer.
The disturbing thing for me was that I work on several firewalls, and some have
the flags S/SA keep state options, and some not… so as I’m quite new to pf I
was really wondering.
f.g.
> Le 22 oct. 2018 à 17:09, Daniel Corbe a écrit :
>
> at 10:04 AM, Frédéric Goudal
Daniel Corbe(dco...@hammerfiber.com) on 2018.10.22 11:09:08 -0400:
> at 10:04 AM, Fr??d??ric Goudal wrote:
>
> >- is there any reason to add keep state to a pass rule ?
Only if you want to use one of the "Stateful Tracking Options" (see
pf.conf(5)).
For example, to add no-sync (dont send the st
at 10:04 AM, Frédéric Goudal wrote:
- is there any reason to add keep state to a pass rule ?
1) UDP rules don’t keep state by default.
2) Even for TCP connections, it’s better to explicitly throw a keep state
on there for clarity, so that people who come in behind you and actually
bother
Hello,
There is something that I don’t really understand about pf keep state :
- documentation says : All pass rules automatically create a state entry when a
packet matches the rule. This can be explicitly disabled by using the no state
option.
But…
I find a lot of example on the web that add
6 matches
Mail list logo
