PF sanity check

Kajetan Staszkiewicz vegeta at tuxpowered.net
Sat Oct 26 23:28:57 UTC 2013 

Dnia sobota, 26 października 2013 o 17:36:14 Rumen Telbizov napisał(a):

> 1. I use quick rules everywhere. Early on in the ruleset I pass everything
> in and out on the $ext_if no state.

See below.

> ...

> 2. For inter-vlan traffic it will create double states for the pass rules:
> one state on the way the packet coming in on the source vlan interface and
> another out going out of the destination interface allowing the specific
> traffic.
> 
> The question is: Is keeping two states for one connection a bad thing or is
> it an acceptable practice ?

It's rather a requirement. A packet incoming on one interface creates a 
different state than the same packet outgoing on other interface (even without 
if-bound state policy). And you want further, reverse direction packets in 
connections to be matched to existing states and passed instead of traversing 
rule list or hitting the block rule.

> Here's a reproduction of the ruleset for better understanding:
> 
> # ignore the $ext_if below

If you want to fully ignore the interface, you can use "set skip" for that 
purpose. Although I'm not sure if NAT will work in such case, should you need 
it. It also would be nice to set skip on the loopback interface.

> pass quick on $ext_if no state

This rule passes the traffic both directions, so it's probably fine. Although 
using stateful inspection would increase security a bit.

> # vlan1
> pass in quick on vlan1   # outgoing state for the internet and other vlans
> pass out quick on vlan1 proto tcp from <trusted> to 10.1.1.1 port 22
> block quick on vlan1 all
> 
> # vlan2
> pass in quick on vlan2
> pass out quick on vlan2 proto tcp from any to 10.1.2.1 port 80
> block quick on vlan2 all
> ...
> 
> block quick all
> 

 
-- 
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

More information about the freebsd-pf mailing list