Re: pf add not working

To: Zoran Kolic <zkolic%sbb.rs@localhost>
Subject: Re: pf add not working
From: "D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>
Date: Sun, 23 Nov 2014 13:22:01 -0500

On Sun, 23 Nov 2014 17:27:24 +0100
Zoran Kolic <zkolic%sbb.rs@localhost> wrote:
> > Then it will once again treat continuing connections as the same
> > connection and fail to block it.
> 
> I have to rethink about this. To my knowledge, it should not.
> Different sessions, right?

That's the point.  The application sees it as connections but it's UDP
so the networking layer doesn't see the relationship between one
connection and another.  It's pf that tries to relate them if you tell
it to keep state but it has no way to connect them except by IP and
port so every packet appears to be part of the same "connection."

> I will need some time to think again. And read manuals.
> For sure, I know where this might be taken for better
> answer than mine: misc%openbsd.org@localhost. You don't have to

I think we must be having a language issue.  I'm pretty sure that I
already have the answer and I am just explaining it for the benefit of
future searchers.  I will know for sure in a few days if I am right.
If you are unsure feel free to ask on the OpenBSD list.

To summarize, the answer to my original issue is to NOT keep state on
incoming UDP connections.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost

Follow-Ups:
- Re: pf add not working
  - From: D'Arcy J.M. Cain

References:
- Re: pf add not working
  - From: Zoran Kolic
- Re: pf add not working
  - From: D'Arcy J.M. Cain
- Re: pf add not working
  - From: Zoran Kolic
- Re: pf add not working
  - From: D'Arcy J.M. Cain
- Re: pf add not working
  - From: Zoran Kolic

Prev by Date: Re: pf add not working
Next by Date: Xorg applications take ages to load, unless started from xterm
Previous by Thread: Re: pf add not working
Next by Thread: Re: pf add not working
Indexes:

Home | Main Index | Thread Index | Old Index