pf misfeature

[Max Laier]

On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd expect the
> following rule to simply pass all traffic originating from and destined
> for the LAN:
>
>   pass on $eth from $lan to $lan
>
> However, in pf, "keep state" is *implicit* (why?), so you'd expect it
> to turn into something like this:
>
>   pass on $eth from $lan to $lan keep state
>
> but what you actually get is this:
>
>   pass on $eth from $lan to $lan flags S/SA keep state
>
> which only matches TCP handshakes, so your UDP streams are screwed.

I don't think this is true.  It will match any protocol, but if it is tcp 
it will make sure it's the initial SYN.  This is necessary in order to 
have the state tracking work with window scaling etc.

In my quick testing, icmp and udp both match the expanded rule.

> Workaround: explicitly specify TCP and UDP, causing pf to split the
> rule into two:
>
>   pass on $eth inet proto { tcp, udp } from $lan to $lan
>
> becomes
>
>   pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
>   pass on $eth inet proto udp from $lan to $lan keep state
>
> There does not seem to be any way to turn off this misguided rewriting
> of firewall rules.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20071108/63fc6189/attachment.pgp