[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf and statesfull filtering on a bridge

To: <tech@openbsd.org>
Subject: Re: pf and statesfull filtering on a bridge
From: Tertou <TDeval@PrimeOBJ.COM>
Date: Thu, 4 Oct 2001 22:00:19 +0200

On Wednesday, October 3, 2001, at 09:42 PM, Brian Hunt wrote:

> Just a heads up:
>
> 'keep state' will overrule 'flags /SA'; you don't need/want both.  Just 
> use
> 'keep state'
> ie. (and replace 'from any to any' with 'all')
>
>     pass in on qe1 proto tcp from any to any flags S/SA keep state
> becomes
>     pass in on qe1 proto tcp all keep state

Wrong, keep state will create a pf state for each packet filling the 
rule conditions.
flags S/SA means that this will be true only for packets which have 
their Syn-Ack flags to True-False and no other Syn-Ack flag state.

Without the flags condition, you would create a pf state for any packet, 
whether they have valid or invalid flags combination !

References:
- Re: pf and statesfull filtering on a bridge
  - From: "Brian Hunt" <bhunt@visionmd.com>

Prev by Date: Re: pool_get must have NOWAIT panic
Next by Date: Re: microtime latency
Prev by thread: Re: pf and statesfull filtering on a bridge
Next by thread: Re: pf and statesfull filtering on a bridge
Index(es):
- Date
- Thread