Bacula File/Storage Connection Woes using PF

Dalibor Gudzic dalibor.gudzic at gmail.com
Wed Mar 26 09:20:45 PDT 2008


On Wed, Mar 26, 2008 at 4:42 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:

>
> Now the opposite, where some host on the Internet attempts to connect to
> 4.4.4.4 on port 22:
>
>  somehost -> pfbox      = TCP flags SYN set, ACK not set
>                         = PASS: matches rule #4
>  pfbox    -> somehost   = TCP flags: SYN set, ACK set
>                         = PASS: matches rule #2
>  somehost -> pfbox      = TCP flags SYN not set, ACK set
>                         = PASS: matches rule #4
>
> A state-table entry won't be created for this one, since rule #1
> specifies "flags S/SA" (won't match SYN+ACK both set).
>
> If one was to add "keep state" to rule #4 (RELENG_6), or use RELENG_7
> (where "keep state" is implied) and some host on the Internet attempts
> to connect to 4.4.4.4 on port 22, we should see:
>
>  somehost -> pfbox      = TCP flags SYN set, ACK not set
>                         = PASS: matches rule #4
>                         = pf creates state-table entry for tracking
>  pfbox    -> somehost   = TCP flags: SYN set, ACK set
>                         = PASS: has state-table entry
>  somehost -> pfbox      = TCP flags SYN not set, ACK set
>                         = PASS: has state-table entry
>
> Do we agree?
>
> --
> | Jeremy Chadwick                                    jdc at parodius.com |
> | Parodius Networking                           http://www.parodius.com/ |
> | UNIX Systems Administrator                      Mountain View, CA, USA |
> | Making life hard for others since 1977.                  PGP: 4BD6C0CB |
>
> Seems to be OK now. Sorry, I should have made it more clearer in the
previous message; I meant, and should've said, "SYN-ACK" i.e. the response
packet from host.


More information about the freebsd-pf mailing list