[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf state issue



On Fri, Mar 14, 2003 at 01:28:02PM -0500, ben fleis wrote:
> udp 127.0.0.1:30551 -> 127.0.0.1:53       MULTIPLE:SINGLE
> udp 127.0.0.1:53 -> 127.0.0.1:30551       SINGLE:NO TRAFFIC
> 
> since udp itself is stateless, each half of the connection ought to simply
> be held on a timer, nothing else.  and each half of pf's state table ought
> to mirror its reflexive twin, in all aspects, or so i would believe.  can u
> recast the explanation to udp?  thanks :)
One possible explanation is an asymmetric ruleset like
  pass in on lo0 keep state
  pass out on lo0
The same packet goes through lo0 in both directions, and since the
direction is part of the state entry key, two states are created.
But in one direction, the first packet (assuming a simple DNS query and
reply) does not create state yet, but state is created on the reply.
Hence, only one of the two packets matched this state entry.
But it's kind of a moot point, filtering on lo0 doesn't make sense in
general. I have yet to see a useful application, at least.
Daniel