# Does PF have stateful checking?



## baronobeefdip (Oct 3, 2013)

I have been working with IPTables for some time when I am working with Linux servers. I have been trying to ease into using FreeBSD servers and have done some reading on the OpenBSD Packet Filter firewall. IPTables have the -m --state options in order to check for connections that are invalid, already established and those that are related to an existing one, etc. I want to know if PF has a stateful checking feature like that. How do I make it check for connections with characteristics similar to what IPTables checks for. The conditions of the connection are "ESTABLISHED", "RELATED", "INVALID", "NEW".


----------



## DutchDaemon (Oct 3, 2013)

Are you kidding me  PF is a stateful firewall, the gold standard. 'keep state' is implied in all of its rulesets. Look into its 'flags' in pf.conf(5).


----------



## throAU (Oct 4, 2013)

Also google "Book of pf".  Free download `pf` manual.


----------



## wblock@ (Oct 4, 2013)

Is it legally free?  Please support Mr. Hansteen's hard work by buying the PDF or printed version.


----------



## Orum (Oct 4, 2013)

Also it's worth noting that keep state is the most basic of states.  Although it's the only one that works on "stateless" protocols (e.g. UDP) via timers, TCP can utilize modulate state and synproxy state which are very useful in some situations.


----------



## baronobeefdip (Oct 4, 2013)

This is good news for me. However I am wondering if the PF firewall has a command-line tool like IPTables does. 
For example.

```
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
```
Is there a command for PF like there is for PF?


----------



## zspider (Oct 5, 2013)

baronobeefdip said:
			
		

> This is good news for me. However I am wondering if the PF firewall has a command-line tool like IPTables does.
> For example.
> 
> ```
> ...



PF is all about the command line and it's more human readable than that thing.


----------



## wblock@ (Oct 5, 2013)

Of course: pfctl(8).


----------



## plamaiziere (Oct 6, 2013)

baronobeefdip said:
			
		

> This is good news for me. However I am wondering if the PF firewall has a command-line tool like IPTables does.
> For example.
> 
> ```
> ...



just "pass in proto tcp"

For RELATED, only FTP is supported via ftp-proxy(8)

Regards


----------



## throAU (Oct 6, 2013)

wblock@ said:
			
		

> Is it legally free?  Please support Mr. Hansteen's hard work by buying the PDF or printed version.



Sorry I assumed it was free.  I don't recall going to any dodgy warez type site to get it, just clicked the first hit as I heard about it elsewhere.  I'll look for the legit copy.


----------

