On 12/15/2015 07:29 PM, Stuart Henderson wrote:
On 2015-12-15, C. L. Martinez <carlopm...@gmail.com> wrote:
On Tue, Dec 15, 2015 at 9:56 AM, David Dahlberg
<david.dahlb...@fkie.fraunhofer.de> wrote:
Am Dienstag, den 15.12.2015, 09:24 +0000 schrieb C. L. Martinez:
I am trying to remove "flags S/SA keep state" for tcp packets inside
pf.conf and use "keep state" only, as it can do with udp and icmp.
According to pf.conf man page, this is possible inserting "no state"
in tcp rule, but I can't use keep state.
"keep state" is addressed in pf.conf(5) (e.g. "Stateful Tracking
Options"), but it is not mentioned as often as it is the default.
IOW: If you have not changed the default options, you you may simply
remove "flags S/SA keep state" string without changing mutch (except
that it might now also match UDP/ICMP).
Thanks David. I have not changed any default options but I can't see
how can I remove these flags ... I have tried with "flags any keep
state" without result. If I use "no state", packets are rejected ...
"flags any no state" does remove the "flags s/sa" from the rule.
If that doesn't help then perhaps that's not what the problem is.
Ok, I have done more tests and maybe exists some type of incompatibility
between how OpenBSD manage divert sockets and suricata.
Has anyone tried to use Snort with OpenBSD divert sockets?
