Subject: Re: pf and state entries at securelevel 2
To: Nino Dehne <ndehne@gmail.com>
From: Peter Postma <peter@pointless.nl>
List: tech-net
Date: 06/16/2005 16:04:19
On Wed, Jun 15, 2005 at 11:31:08AM +0200, Nino Dehne wrote:
> > > 2) Should state entries remain flushable even with securelevel 2?
> >
> > No, any action from pfctl that changes things like rules, states, etc.
> > is not possible at securelevel 2. So in your case it would probably be
> > better to run at securelevel 1.
>
> Yes, it's probably best to enforce a strict policy that disallows any
> modifications - even of dynamically created structures - at securelevel 2.
>
> However, I still believe that for rules - and only rules - like
>
> nat on pppoe0 inet from (vlan1:network) to any -> (pppoe0)
>
> the resulting states should somehow inherit the dynamic nature of the peer
> addresses. Just a gut feeling though.
>
With this rule, new states will get the right address if it changes on
pppoe0, but AFAIK, the old states should not change (and will disappear
eventually).
--
Peter Postma