----- Original Message ----- From: "Henning Brauer" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 01, 2004 1:39 AM Subject: Re: tagging & keep state
> no, only the first packet is (to be exact: only packets which do not > match a state entry are tagged). This hasn't been a problem in practice > (and is why the parser demands keep state on pass rules which do > tagging); Theres always annoying edge cases. The only problem I've seen with this behaviour of tags is when you're trying to keep track of traceroutes through the box. Say you have the following rules block log all pass in on $if1 tag THROUGH pass out on $if2 tagged THROUGH The first traceroute packet will come in and create state on the incoming side, but because it's TTL will be one it wont go through the box, ie, it wont create a state entry on the outgoing side. The second traceroute packet with its TTL of two will then come in and match the state entry for the incoming side. However because it was passed by the state entry and not evaluated by the first pass rule it wont have the THROUGH tag attached to it. It therefore wont match the second pass rule and the default block policy will come into effect. The packet will be dropped and the traceroute will be broken. It makes sense if you know whats happening, but isn't immediately obvious. This is explored further by http://www.itee.uq.edu.au/~chrisp/OpenBSD/pf.c-tag_states.diff. Regards, DG
