[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
keep vs modulate state in pf rules
I have been reviewing my rule sets and decided to seek clarification
about the tcp state stuff.
Here is what I use now:
pass in quick on $ext_if proto tcp from any to <8888> port=8888 flags S/SA modulate state
pass out on $ext_if proto tcp from <ssh_out> to any port=22 keep state
i.e. we allow any outgoing packets to establish state but only Syns or
SAcks to establish state for incoming packets.
thus if fw looses state then only incoming connections will get dropped
when it comes back (or when we go over to the backup -- I have not got
pfsync going yet).
I am not sure about now why I chose to use modulate state only on
incoming connections. Is this sensible?
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.