On May 18, 2008, at 9:19 AM, Matthew Seaman wrote:
Johan Ström wrote:
drop all traffic)? A check with pfctl -vsr reveals that the actual
rule inserted is "pass on lo0 inet from 123.123.123.123 to
123.123.123.123 flags S/SA keep state". Where did that "keep state"
come from?
'flags S/SA keep state' is the default now for tcp filter rules --
that
was new in 7.0 reflecting the upstream changes made between the 4.0
and 4.1
releases of OpenBSD. If you want a stateless rule, append 'no state'.
http://www.openbsd.org/faq/pf/filter.html#state
Thanks! I was actually looking around in the pf.conf manpage but
failed to find it yesterday, but looking closer today I now saw it.
Applied the no state (and quick) to the rule, and now no state is
created.
And the problem I had in the first place seems to have been resolved
too now, even though it didn't look like a state problem.. (started to
deny new connections much earlier than the states was full, altough
maybee i wasnt looking for updates fast enough or something).
Anyways, thanks to all helping me out, and of course thanks to
everybody involved in FreeBSD/pf and all for great products! Cannot be
said enough times ;)_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
