On Mon, Jan 31, 2011 at 05:10:04PM +0000, Jason McIntyre wrote:
> On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote:
> > then i change my mind and we should add a note that the default pass
> > behaviour (NOT rule, even tho there kinda is a default rule
> > internally...) doesn't lead to state creation.
>
> firstly, what is the reason for the "no state" of packets passed by
> default (i.e. without matching a rule)?
I imagine: the least surprising "no pf" default behaviour is passing all
packets (given net.inet.ip.forwarding=1); this should hold even if
you're in some odd asymmetric routing setup where pf's state-tracking
would not work.
Joachim
--
PotD: security/scrypt - command-line encryption using scrypt key
derivation function
http://www.joachimschipper.nl/
