outgoing LAN traffic always in "keep state"

Ronnel P. Maglasang rmaglasang at infoweapons.com
Mon Jun 19 06:02:19 UTC 2006


i have nat function enabled, also tried enabling rdr and binat.  are you
saying the "keep state" functionality depends on these 3?

here's my pf config file:

#
# Aliases
#
loopback = "{ lo0 }"
lan = "{ em0  }"
wan = "{ vr0 }"

#statistics
set loginterface em0
set loginterface vr0

#optimize packets
set optimization normal

#normalize outgoing packets IP ID field
scrub log on vr0 all random-id fragment reassemble

#
# NAT on WAN interface (dont use IF alias for on the fly changes)
#
nat on $wan from 20.0.0.0/8 to any -> (vr0)

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# for ssh from 10.3.1.41 to 10.10.0.161
pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22
pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41

# tcp from internal source to external dest
# note: response packet will not be evaluated against incoming wan rules
pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19
pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19
pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161
pass out log quick on $lan proto tcp from 10.3.2.19 to any

#
# default block
#
block in log quick all
block out log quick all


Kian Mohageri wrote:
> Post your ruleset and people can help you.  You're probably using 
> nat/rdr/binat which create states.
>
> -Kian
>
> On 6/18/06, *Ronnel P. Maglasang* <rmaglasang at infoweapons.com 
> <mailto:rmaglasang at infoweapons.com>> wrote:
>
>     I have a minimum PF setup that sits in between my internal
>     network(lan)
>     and external network(wan). PF by design, bypasses ruleset
>     evaluation(on
>     external interfaces) for incoming packets on external interface that
>     corresponds
>     to an entry in the state table or a response to an internal generated
>     packet.
>     I observe this for TCP, UDP and also ICMP packets. Even if the
>     matching rule
>     in the internal interface do not have a "keep state", still the
>     response
>     packet
>     bypasses the ruleset evaluation. Is there a way (force) to allow
>     response
>     packets to go thru ruleset evaluation? I just want to have full
>     control of
>     the incoming packets on the external interface wether they are
>     response to
>     a LAN traffic or not. I'll be implementing queueing soon and I
>     think this
>     PF behavior will affect badly. Has anyone experienced this?
>
>     Thanks a lot.
>     - sho
>     _______________________________________________
>     freebsd-pf at freebsd.org <mailto:freebsd-pf at freebsd.org> mailing list
>     http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>     To unsubscribe, send any mail to "
>     freebsd-pf-unsubscribe at freebsd.org
>     <mailto:freebsd-pf-unsubscribe at freebsd.org>"
>
>



More information about the freebsd-pf mailing list