[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf set expansion and flags

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pf set expansion and flags
From: Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>
Date: Fri, 26 Jul 2002 22:12:00 +0200
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

On Fri, Jul 26, 2002 at 12:05:15PM -0700, Paul B. Henson wrote:
> On Fri, 26 Jul 2002, Henning Brauer wrote:
> 
> > On Thu, Jul 25, 2002 at 08:50:09PM -0700, Paul B. Henson wrote:
> > > pass out on sk0 proto { icmp, udp, tcp } from 134.71.202.0/23 to any flags S keep state
> >
> > this is wrong. flags don't apply to non-tcp. -current rejects that since
> > some time now.
> 
> so this line would be rejected with a syntax error? 

yes.

> To achieve the
> equivalent functionality would require two lines?

yes.

> I kind of like the simplicity of being able to handle all state issues for
> a single host/subnet with one rule, I just didn't like the irrelevant flags
> being displayed for non TCP protocol rules when listing.

this is rejected since some time, not just after you post.
i'm not entirely sure what's the best option here, but there is a good
point: silently ignoring things is bad.

> You don't like the idea of allowing the syntax but only applying the flags
> to the generated TCP rules?

well, we are silently ignoring something then. and we more or less "guess"
what you meant and don't do what you wrote (because we can't, because flags
just don't apply).

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

References:
- Re: pf set expansion and flags
  - From: Henning Brauer

Prev by Date: Re: 802.11b & openbsd
Next by Date: Re: filtering by mac
Previous by thread: Re: pf set expansion and flags
Next by thread: 802.11b & openbsd
Index(es):
- Date
- Thread

Visit your host, monkey.org