On Monday 07 April 2008 17:05:32 Matthew Dillon wrote: > :Yes, quoting http://www.openbsd.org/faq/pf/filter.html: > : > :In OpenBSD 4.1 and later, the default flags S/SA are applied to all > : TCP filter rules. > : > :Since OpenBSD 4.1, "keep state" is also the default. > : > :Cedric > > I found the code. NetBSD hasn't seemed to have adopted that > change. > > I'm not sure I want to adopt the keep state by default on pass > rules but S/SA clearly must be adopted and its default modified by > the new options (i.e. S/SA set by default (also for 'nopickups'), > and not set if 'pickups' or 'hashonly' since we want to pickup the > stream in the middle for the latter two.
You will want this change, too: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c#rev1.51 if you turn on "flags S/SA" by default. > Some of this stuff is starting to look a little overboard. I can > see having keep state on as a default if it didn't have such an adverse > effect on existing TCP streams on reboot, but it does and because it > does I don't think I want it turned on as a default in DragonFly. > > Or, alternatively, we could turn it on by default in DragonFly but > as 'hashonly' unless a keep state directive is explicitly specified > in the rule. But then issues pop up where the administrator might > not have wanted keep state for everything due to extreme volumes and > doing that could blow out the areas he DID want keep state on. So, > right now, I'm inclined not to turn on keep state by default if it > isn't specified in the rule. Note that processing the ruleset is *really* expensive. Keep state whereever, whenever you can. I agree that the tcp checking is a bit overzealous, but not keeping state at all is not a good idea. I don't know what the most reasonable default is, but offering a way to switch off the extended tcp checking is certainly a good thing. I think I will take this to FreeBSD sooner or later, but will keep conservative defaults. i.e. "flags S/SA keep state (nopickups)" in your current proposed naming. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
