On Wed, Jun 15, 2005 at 11:11:17AM +0200, Peter Postma wrote:
> > 1) Should pf update state entries which are the result of a rule with
> > "dynamic" address syntax?
> 
> No, pf should leave the states alone.

So who is at fault that states remain in ESTABLISHED state for a whole
day? Can the client be blamed for not trying to reset the connection? OTOH, I
am guessing that any attempt of the client to close the connecting with
the now invalid source address would lead to the leakage of packets with a
"spoofed" source address over the newly established connection.

> > 2) Should state entries remain flushable even with securelevel 2?
> 
> No, any action from pfctl that changes things like rules, states, etc.
> is not possible at securelevel 2. So in your case it would probably be
> better to run at securelevel 1.

Yes, it's probably best to enforce a strict policy that disallows any
modifications - even of dynamically created structures - at securelevel 2.

However, I still believe that for rules - and only rules - like

   nat on pppoe0 inet from (vlan1:network) to any -> (pppoe0)

the resulting states should somehow inherit the dynamic nature of the peer
addresses. Just a gut feeling though.

Regards,

ND