floating keep state
Kian Mohageri
kian.mohageri at gmail.com
Thu Feb 28 15:22:49 UTC 2008
On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <vchepkov at gmail.com> wrote:
> set block-policy return
> set state-policy floating
> pass in log quick proto udp from any to 10.10.10.1 port domain keep state
> block in log from any to 10.10.11.254
>
> 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
> 10.10.10.1.53: 45616+[|domain]
> 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
> 10.10.11.254.32772: 45616*-[|domain]
>
States not only have address/port pairs in them (among other things),
but they also have a direction.
The request packet (coming in on xl1) creates a state that will match
the following:
10.10.11.254:32772 ==> 10.10.10.1:53 (IN)
10.10.10.1:53 ==> 10.10.11.254:32772 (OUT)
The same packet is filtered again on xl0, but notice it will not match
this state because its direction is now "out". As Daniel said, it's
passed anyway because of the implicit pass rule at the end of your
ruleset (by the way this makes it difficult to troubleshoot problems).
Server receives packet and replies:
10.10.10.1:53 ==> 10.10.11.254:32772 (IN)
Notice this will not match the state created above (direction is IN,
not OUT), and it will also be blocked by your second rule.
-Kian
PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)
More information about the freebsd-pf
mailing list