outgoing LAN traffic always in "keep state"
Ronnel P. Maglasang
rmaglasang at infoweapons.com
Mon Jun 19 06:02:19 UTC 2006
i have nat function enabled, also tried enabling rdr and binat. are you
saying the "keep state" functionality depends on these 3?
here's my pf config file:
#
# Aliases
#
loopback = "{ lo0 }"
lan = "{ em0 }"
wan = "{ vr0 }"
#statistics
set loginterface em0
set loginterface vr0
#optimize packets
set optimization normal
#normalize outgoing packets IP ID field
scrub log on vr0 all random-id fragment reassemble
#
# NAT on WAN interface (dont use IF alias for on the fly changes)
#
nat on $wan from 20.0.0.0/8 to any -> (vr0)
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# for ssh from 10.3.1.41 to 10.10.0.161
pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22
pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41
# tcp from internal source to external dest
# note: response packet will not be evaluated against incoming wan rules
pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19
pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19
pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161
pass out log quick on $lan proto tcp from 10.3.2.19 to any
#
# default block
#
block in log quick all
block out log quick all
Kian Mohageri wrote:
> Post your ruleset and people can help you. You're probably using
> nat/rdr/binat which create states.
>
> -Kian
>
> On 6/18/06, *Ronnel P. Maglasang* <rmaglasang at infoweapons.com
> <mailto:rmaglasang at infoweapons.com>> wrote:
>
> I have a minimum PF setup that sits in between my internal
> network(lan)
> and external network(wan). PF by design, bypasses ruleset
> evaluation(on
> external interfaces) for incoming packets on external interface that
> corresponds
> to an entry in the state table or a response to an internal generated
> packet.
> I observe this for TCP, UDP and also ICMP packets. Even if the
> matching rule
> in the internal interface do not have a "keep state", still the
> response
> packet
> bypasses the ruleset evaluation. Is there a way (force) to allow
> response
> packets to go thru ruleset evaluation? I just want to have full
> control of
> the incoming packets on the external interface wether they are
> response to
> a LAN traffic or not. I'll be implementing queueing soon and I
> think this
> PF behavior will affect badly. Has anyone experienced this?
>
> Thanks a lot.
> - sho
> _______________________________________________
> freebsd-pf at freebsd.org <mailto:freebsd-pf at freebsd.org> mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "
> freebsd-pf-unsubscribe at freebsd.org
> <mailto:freebsd-pf-unsubscribe at freebsd.org>"
>
>
More information about the freebsd-pf
mailing list