Bacula File/Storage Connection Woes using PF
Dalibor Gudzic
dalibor.gudzic at gmail.com
Wed Mar 26 09:20:45 PDT 2008
On Wed, Mar 26, 2008 at 4:42 PM, Jeremy Chadwick <koitsu at freebsd.org> wrote:
>
> Now the opposite, where some host on the Internet attempts to connect to
> 4.4.4.4 on port 22:
>
> somehost -> pfbox = TCP flags SYN set, ACK not set
> = PASS: matches rule #4
> pfbox -> somehost = TCP flags: SYN set, ACK set
> = PASS: matches rule #2
> somehost -> pfbox = TCP flags SYN not set, ACK set
> = PASS: matches rule #4
>
> A state-table entry won't be created for this one, since rule #1
> specifies "flags S/SA" (won't match SYN+ACK both set).
>
> If one was to add "keep state" to rule #4 (RELENG_6), or use RELENG_7
> (where "keep state" is implied) and some host on the Internet attempts
> to connect to 4.4.4.4 on port 22, we should see:
>
> somehost -> pfbox = TCP flags SYN set, ACK not set
> = PASS: matches rule #4
> = pf creates state-table entry for tracking
> pfbox -> somehost = TCP flags: SYN set, ACK set
> = PASS: has state-table entry
> somehost -> pfbox = TCP flags SYN not set, ACK set
> = PASS: has state-table entry
>
> Do we agree?
>
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> Seems to be OK now. Sorry, I should have made it more clearer in the
previous message; I meant, and should've said, "SYN-ACK" i.e. the response
packet from host.
More information about the freebsd-pf
mailing list