Keep State is not working on 6.1-RELAESE-p1

Daniel Hartmeier daniel at benzedrine.cx
Tue Jun 27 16:29:38 UTC 2006


On Tue, Jun 27, 2006 at 04:58:04PM +0300, N. Ersen SISECI wrote:

> For pf a solution we come up with:
> 
> pass in quick ... port 22 ... keep state tag XYZ
> pass in quick .... keep state tag XYZ
> pass in quick .... keep state tag XYZ
> pass in quick .... keep state tag XYZ
> pass in quick .... keep state tag XYZ
> ....
> ....
> #last rules
> block in all
> 
> #let everything out with a new state entry
> pass out all keep tagged XYZ

Yes, that'll work fine.

> Is there another way to securely let everything "pass through" firewall?
> without having to write another rule for outgoing packets. We have
> hundreds of rules on our gateway, and it is quite difficult to dublicate
> rules and keep track of incoming interface as well as the outgoing
> interface...

One common approach is to only filter incoming packets, and to let
everything pass out from the firewall. This covers all forwarded
traffic: anything leaving the firewall must first have passed in (and
has, therefore, been checked). It does not cover connections originating
from the firewall itself. But often, you either don't run any processes
on the firewall (that need to connect out), or you trust those
implicitely.

Another common case is three (or more) legged firewall, where you have
strict policies about what interface a type of connection may enter and
where it may and may not leave (e.g. in on if1, out on if2, but never
out on if3), i.e. you don't trust the routing table (which might be
dynamically updated). In this case, you DO need per-interface rules,
and they are not really duplicates. Tagging helps in this case, too
(you'd tag passed incoming packets so they'd be allowed out on a
specific other interface).

I guess it boils down to whether you

  a) trust all processes on the firewall
  b) trust the routing table on the firewall

Daniel


More information about the freebsd-pf mailing list