[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf state initiator question

To: OpenBSD <misc@openbsd.org>
Subject: pf state initiator question
From: Dirk Rosler <dirk@unicircuits.com>
Date: Fri, 01 Mar 2002 14:30:43 +0000
User-Agent: Microsoft-Entourage/10.0.0.1331

Hi,

I was pondering on this:

Given the rule sets

pass in quick on $ExtIF inet proto tcp from $IntNet to any port = 22
block in log quick on $ExtIF from any to any
pass out on $ExtIF from any to any keep state

and

pass in quick on $ExtIF inet proto tcp from $IntNet to any port = 22 flags S
keep state
block in log quick on $ExtIF from any to any
pass out on $ExtIF from any to any flags S keep state


In the first case (partly taken from the pf FAQ) a state entry is created by
the 3rd rule (by a SYN/ACK?), as the response to an incoming ssh connection
goes out.

In the second case the state entry is created by the incoming ssh connection
(making in this situation the third rule redundant as the response is
allowed out).

I am wondering whether this has any implications, given that broadly
speaking an outgoing connection could be considered 'friendly' or more
trustworthy whilst incoming is potentially hostile. Does it matter which
side creates the state entry?

Dirk

Follow-Ups:
- Re: pf state initiator question
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: mod_keynote Apache module
Next by Date: Kernel Panic
Prev by thread: mod_keynote Apache module
Next by thread: Re: pf state initiator question
Index(es):
- Date
- Thread