keep state defaults with stateful tracking options.
Good day, [EMAIL PROTECTED] obsd42# uname -a OpenBSD obsd42.oganer.net 4.2 GENERIC#1 i386 obsd42# echo pass (max 32) | pfctl -vnf - stdin:1: syntax error obsd42# echo pass keep state (max 32) | pfctl -vnf - pass all flags S/SA keep state (max 32, adaptive.start 18, adaptive.end 36) obsd42# Is that correct behavior what we need to specify keep state, which is should be by default? or I miss something? -- Dmitry Medvedev
Re: keep state defaults with stateful tracking options.
On Fri, Feb 08, 2008 at 03:37:33PM +0700, Dmitry Medvedev wrote: Is that correct behavior what we need to specify keep state, which is should be by default? or I miss something? Yes, this is the correct behaviour when you're trying to set state tracking options. In the pf.conf(5) manpage: STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per- rule basis. keep state, modulate state and synproxy state support these options, and keep state must be specified explicitly to apply options to a rule. -Ryan
Re: keep state defaults with stateful tracking options.
Dmitry Medvedev wrote: Good day, [EMAIL PROTECTED] obsd42# uname -a OpenBSD obsd42.oganer.net 4.2 GENERIC#1 i386 obsd42# echo pass (max 32) | pfctl -vnf - stdin:1: syntax error obsd42# echo pass keep state (max 32) | pfctl -vnf - pass all flags S/SA keep state (max 32, adaptive.start 18, adaptive.end 36) obsd42# Is that correct behavior what we need to specify keep state, which is should be by default? or I miss something? -- Dmitry Medvedev pf.conf(5): STATEFUL TRACKING OPTIONS A number of options related to stateful tracking can be applied on a per- rule basis. keep state, modulate state and synproxy state support these options, and keep state must be specified explicitly to apply options to a rule. max number Limits the number of concurrent states the rule may create. When this limit is reached, further packets that would create state will not match this rule until existing states time out.
