Re: Problem with state and PF on a 4.3 setup

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Henning Brauer <lists-openbsd@...>

To: <misc@...>

Subject: Re: Problem with state and PF on a 4.3 setup

Date: Thursday, May 8, 2008 - 9:21 am

* Steve Johnson <maillist@sjohnson.info> [2008-05-08 14:57]:
quoted text> Is the state direction tracking something that changed at one point of the 
> PF development or has it always been like that?

it has always been like that.

it is the only sane thing to do. once you exceed that little 2 
interfaces firewall scenario you'll see why... you put policies on 
interfaces, and anyonegoing fron netA to netB must pass the outbound 
policy on the netA facing interface and the inbound policy in the netB 
facing interface (to make things more confusing, the inbound policy is 
what gets written as "pass ->out<- on... anyway). with the one state 
covering everything you bypass netB's inbound policy, which is both 
dangerous and stupid.

ipfilter does it that way.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: Problem with state and PF on a 4.3 setup, Stuart Henderson, (Thu May 8, 8:18 am)

Re: Problem with state and PF on a 4.3 setup, Steve Johnson, (Thu May 8, 8:50 am)

Re: Problem with state and PF on a 4.3 setup, Henning Brauer, (Thu May 8, 9:21 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
David Miller	[GIT]: Networking
Thomas Gleixner	Re: Regression in 2.6.27 caused by commit bfc0f59
Rafael J. Wysocki	[Bug #11342] Linux 2.6.27-rc3: kernel BUG at mm/vmalloc.c - bisected
jmerkey	[ANNOUNCE] mdb: Merkey's Linux Kernel Debugger 2.6.27-rc4 released
git:
Mike	I don't want the .git directory next to my code.
Kevin Ballard	Re: git on MacOSX and files with decomposed utf-8 file names
Karl	Re: git-svn should default to --repack
Ken Pratt	pack operation is thrashing my server
openbsd-misc:
carlopmart	About Xen: maybe a reiterative question but ..
NetOne - Doichin Dokov	OpenBSD as Xen domU
Nick Guenther	Re: Real men don't attack straw men
Paul Barbeau	RAID/Intel Installation Problem
linux-netdev:
Wang Chen	[V#2 PATCH 0/18] netdevice: Fix directly reference of netdev->priv
Indan Zupancic	Re: Realtek 8111C transmit timed out
Alexey Kuznetsov	Re: [TCP]: TCP_DEFER_ACCEPT causes leak sockets
Alexey Dobriyan	Re: [GIT]: Networking

Latest forum posts


Personal opinions about Video Poker	7 minutes ago	Applications and Utilities
trouble with my Asus Mainboard	44 minutes ago	Linux kernel
Which games would you prefer in online casinos?	44 minutes ago	Linux kernel
help in UDP catching module..	18 hours ago	Linux kernel
Is there anything like Real-time drivers?	2 days ago	Linux general
ns16550 serail console in Linux 2.6.19	2 days ago	Linux general
what class should i use to register my devices	2 days ago	Linux kernel
reset bios pasword toshiba	3 days ago	Hardware
Analysis of Process Scheduling	4 days ago	Linux kernel
RT Kernel and SSH Server Panics	4 days ago	Linux kernel

Show all forums...

Recent Tags

filesystem 2.6.27-rc5 Andrew Morton 2.6.27 -rc5 Linus Torvalds -rc4 Linux quote -rc Daniel Phillips Tux3 H. Peter Anvin

more tags

Colocation donated by:

Online users

Syndicate