Am 03.12.2006 um 21:45 schrieb Camiel Dobbelaar:
Try using "flags S/SA keep state" on all your tcp rules.
On exit, there is no discrimination on protocol in my rule set.
Changing that would cluttering things.
On Sat, 2 Dec 2006, Axel Rau wrote:
and exit like
pass out quick on $dmz_if tagged GREEN_DMZ keep state
If "flags S/SA" would just be ignored by none-tcp packets, I would be
happy.
But the man page says:
"This rule only applies to TCP packets that have the flags <a> set
out of set <b>."
This means to me: all none-tcp packets are ignored by this rule.
So let's make a test...
and exit like
pass out quick on $dmz_if tagged GREEN_DMZ $tcp_options
..
Oh wonder, exit rules seem to work as expected. (-:)
This means:
***None-tcp packets being passed and kept state!***
Could someone insert this sentence in pf.conf.man?
That the good news.
Bad news is: I still see:
--------------------------------------------------------------------
loose state match: TCP 84.107.12.60:57198 84.107.12.60:57198 \
217.72.192.149:25 [lo=59866068 high=59877651 \
win=65535 modulator=0 wscale=0] [lo=3235423848 high=3235489347 \
win=11584 modulator=0 wscale=0] 9:4 R seq=59866068 ack=3235423848 \
len=0 ackskew=0 pkts=10:9
--------------------------------------------------------------------
One more hint?
Thanks a lot, Axel
---------------------------------------------------------------------
Axel Rau, ☀Frankfurt , Germany +49 69 9514 18 0
