On Tue, Feb 01, 2011 at 10:53:31AM +1300, Paul M wrote:
> >On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote:
> >>
> >>then i change my mind and we should add a note that the default pass
> >>behaviour (NOT rule, even tho there kinda is a default rule
> >>internally...) doesn't lead to state creation.
>
> Perhaps it could be worded in terms of what one should do instead of
> what one should not do - something along the lines of:
>
> By default pf(4) filters packets statefully: the first time
> a packet matches a pass rule, a state entry is created. If
> no pass rule is matched, no state is created for that packet.
>
this might be the solution, but i'm not sure. the problem is, i expect
people will need this information around the point that they read:
if no rule matches the packet, the default action is to pass
the packet.
however to start talking about state there, before we get to the bit
that explains what state is, is unhelpful (to say the least).
for example, when ted talked about being caught out about this, he was
focussing on the default pass bit of pf, not how stateful filtering
works.
hence my hinting earlier that a fix may not be immediately obvious.
of course maybe your solution is pretty much a best compromise.
jmc
