pf misfeature
Dag-Erling Smørgrav
des at des.no
Thu Nov 8 11:28:22 PST 2007
Given appropriate definitions for $eth and $lan, you'd expect the
following rule to simply pass all traffic originating from and destined
for the LAN:
pass on $eth from $lan to $lan
However, in pf, "keep state" is *implicit* (why?), so you'd expect it to
turn into something like this:
pass on $eth from $lan to $lan keep state
but what you actually get is this:
pass on $eth from $lan to $lan flags S/SA keep state
which only matches TCP handshakes, so your UDP streams are screwed.
Workaround: explicitly specify TCP and UDP, causing pf to split the rule
into two:
pass on $eth inet proto { tcp, udp } from $lan to $lan
becomes
pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
pass on $eth inet proto udp from $lan to $lan keep state
There does not seem to be any way to turn off this misguided rewriting
of firewall rules.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-net
mailing list