Keep State is not working on 6.1-RELAESE-p1

N. Ersen SISECI siseci at gmail.com
Tue Jun 27 13:58:23 UTC 2006


So we dont have a "keep state" interpretation like ipf etc.... (OK I
understand floating option for state table. It is not related with our
problem...)
What we are looking for is to be able to pass through firewall with one
set of rule per allowed traffic like it is used to be in ipf like firewalls.

For pf a solution we come up with:

pass in quick ... port 22 ... keep state tag XYZ
pass in quick .... keep state tag XYZ
pass in quick .... keep state tag XYZ
pass in quick .... keep state tag XYZ
pass in quick .... keep state tag XYZ
....
....
#last rules
block in all

#let everything out with a new state entry
pass out all keep tagged XYZ

Is there another way to securely let everything "pass through" firewall?
without having to write another rule for outgoing packets. We have
hundreds of rules on our gateway, and it is quite difficult to dublicate
rules and keep track of incoming interface as well as the outgoing
interface...

Thanx for your help

N. Ersen SISECI
http://www.enderunix.org

Daniel Hartmeier yazm?s,:

> > On Tue, Jun 27, 2006 at 01:36:52PM +0300, N. Ersen SISECI wrote:
> >
> >   
>   
>> >> My first rule is pass in all with keep state. But the packets do not
>> >> seem to be able pass out from the other interface. If i change the last
>> >> block's to "pass" everything works fine. It seems that the state table
>> >> is always on if-bound'ed???
>> >>
>> >> Is there a solution for this problem, or do I miss a configuration with
>> >> kernel, pf, pf.conf etc... ??? or is this a bug  :) 
>> >>     
>>     
> >
> > Neither, your interpretation of 'floating' does not match reality, see
> >
> >   http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238&w=2
> >
> > In short, create two state entries per connection.
> >
> > Daniel
> >
> >   
>   




More information about the freebsd-pf mailing list