keeping state on outgoing connections fails (?)
Jon Radel
jon at radel.com
Wed Sep 3 18:49:40 UTC 2008
Peter Wullinger wrote:
> I'll reply to Jeremy, since his answer somehow confused me.
>
> In epistula a Jeremy Chadwick, die horaque Wed Sep 3 17:26:32 2008:
>> On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote:
>>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>>
>>> ep0: 1.2.3.4/24
>>> bge0: 10.0.0.1/24
>>>
>>> ruleset (made as simple as possible):
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>
> At little bit of guessing led me to the (possible, I have not tested
> this) culprit: Is your state-policy set to "floating" or "if-bound"?
>
> From a casual look at the log entries and traffic snapshots you have sent,
> this seems to be pf working in "if-bound" mode. In this case, the
> created state table entry matches incoming on bge0, but not on
> outgoing on ep0 any more (packets pass through pf twice, as expected).
>
> This still maybe a bug, but it's common to rule out all possible
> culprits before spreading blame.
>
My understanding is that "if-bound" would have an effect on this
scenario if the OP, for example, had two interfaces on the same "side"
of the firewall, say bge0 and bge1, and packets for a connection that
was originally established by a packet outbound on bge0 might cross on
either bge0 or bge1 traveling in the same direction with respect to the
FreeBSD router with the configuration.
In this case we're talking about packets that are traveling in one
direction with respect to the router on bge0 and the other direction on
ep0, so you'd need separate state entries no matter what you've done
with if-bound.
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080903/fb3fe626/smime.bin
More information about the freebsd-pf
mailing list