On Thu, Mar 30, 2006 at 06:34:02PM +, George Pontis wrote:
> For a rule that matches both UDP and TCP packets, is "flags S/SA"
> safely ignored for UDP ?
Yes, the rule matches UDP packets as if the "flags S/SA" wasn't there.
Daniel
Daniel Hartmeier wrote:
> ...
> Make sure that all your 'pass keep state' rules which can possibly
> apply to TCP packets also use 'flags S/SA' (so they only apply to
> initial SYNs), and that you block other TCP packets by default.
>
> ...
For a rule that matches both UDP and TCP packets, is "
Daniel Hartmeier wrote:
> On Wed, Mar 29, 2006 at 01:07:10PM +0100, Ian Chard wrote:
>
>> Can someone please help me track this down?
>
> Looks like you don't create state on the initial TCP SYN packet, but on
> a subsequent packet (like, the SYN+ACK flowing in the reverse
> direction). That's us
On Wed, Mar 29, 2006 at 01:07:10PM +0100, Ian Chard wrote:
> Can someone please help me track this down?
Looks like you don't create state on the initial TCP SYN packet, but on
a subsequent packet (like, the SYN+ACK flowing in the reverse
direction). That's usually a mistake in the ruleset and no
0
[lo=2543330857 high=2543330869 win=49232 modulator=0] [lo=25270494
high=25319726 win=1460 modulator=0] 4:4 PA seq=2543330857 ack=25270494
len=1128 ackskew=0 pkts=3:2 dir=in,fwd
pf: State failure on: 1 |
(IP addresses changed)
There are more "BAD state" messages logged, but they ar