PF firewall rules

Dmitry Andrianov dimas at dataart.com
Mon Jul 10 04:46:11 UTC 2006 

Hello.
 
> I might remove these in the future but just want to at least 
> do some testing on a firewall setup for many reasons such as 
> it has 2 separate links and want to try changing between the 
> links/routes without affecting state.

I'm not sure how this should work. If you change outgoing NAT address
(what else "switching the link means"?), everything WILL break. With
both UDP and TCP any stateful firewall on server side will reject
"stream" where address changes in the middle. Even if there is no
stateful firewall on their side, TCP implementation on the server will
not accept these packets.

> Take this rule for example
> pass out on fxp0 proto { tcp, udp, icmp } from any to any 
> modulate state.
> What TCP flags rules are being used when you use "modulate 
> state" for the TCP protocol? is it the same kind of rules as 
> UDP as in as it largely ignores flags (as UDP has none) and 
> if any TCP packets are going out then it just tracks that 
> state? or is it working on the most popular Flags option rule 
> such as "flags S/SA"

AFAIK, it does not check flags.

> If its just any flag this would mean I could just 
> /etc/rc.d/pf restart (over resync) on the firewall gateway 
> and the users aren't likely to notice anything as the TCP 
> protocol would probably just resend its last sent packet 
> believing the last one was dropped.

Yes, if you restart pf with such a rules, the next _outgoing_ packet
(what has a rule in your firewall) should restore the state. But keep in
mind that a packet in opposite direction will not restore the state
(because it has no separate rule for it and used to match on state
only). So such a packet will be blocked.

Btw, I'm not sure why you need restarting pf at all. If you need it to
reload the rules, use

pf -F rules -f /etc/rc.pf

It will flush all rules and load new from file while keeping all the
states.

> What is the recommended way to place restrictive rules on 
> internal IPs? 

Why can't you filter incoming packets as they come on internal
interface? IMHO it is more natural because you stop unwanted traffic
early..

Regards,
Dmitry Andrianov

More information about the freebsd-pf mailing list