I've just committed code based on a suggestion made by Daniel Hartmeier
to make flags S/SA keep state the default for rules.
NOTE: This does change is in -current only, and does not apply to the
4.0 release.
These changes makes pf rulesets significantly cleaner, improving
readability. More importantly, it makes the recommended behaviour the
default, something that OpenBSD tries to do wherever possible.
- Stateful filtering should be used on most rules for performance as
well as security reasons, and stateless filtering is by far the
exception.
- The flags S/SA change ensures that for TCP connections only initial
syn packets can match a rule and create a new state. While PF supports
creation of state on intermediate packets, it makes application of some
security mechanisms impossible, and it makes PF unable to correctly deal
with TCP window scaling on the connection. This has increasingly become
a problem as more OSs ship with window scaling and increased buffers
enabled by default.
Most users will not see any consequences of these changes, but there are
a few cases where this has impact:
* Users who are doing stateless filtering on purpose
* Users who expect to be able to flush their state table, fail
over without pfsync, or reboot their firewall and have the
states recreated from intermediate packets.
Users in either of these categories should use the 'no state' and/or
'flags any' options where appropriate to explicitly request the current
behaviour of their ruleset.
----- Forwarded message from Ryan Thomas McBride <[EMAIL PROTECTED]> -----
Date: Fri, 6 Oct 2006 04:45:44 -0600 (MDT)
From: Ryan Thomas McBride <[EMAIL PROTECTED]>
Subject: CVS: cvs.openbsd.org: src
To: [EMAIL PROTECTED]
X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=ham
version=3.1.1
CVSROOT: /cvs
Module name: src
Changes by: [EMAIL PROTECTED] 2006/10/06 04:45:44
Modified files:
sbin/pfctl : parse.y
Log message:
Make 'flags S/SA keep state' the implicit for filter rules, based on
a suggestion from [EMAIL PROTECTED] Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.
IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.
Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.
ok dhartmei@ deraadt@ henning@
----- End forwarded message -----
--
