Packet Path Through PF (onec for each interface?)

David DeSimone fox at verio.net
Wed May 16 19:59:53 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Judge <tom at tomjudge.com> wrote:
>
> I have a question about the number of times a packet passes through pf 
> on a router.

The PF subsystem always examines every packet that passes in or out an
interface.  For a forwarded packet that means it will be examined twice.

However, your question seems to be more in regards to whether the packet
gets matched against the rulebase.  That is sort of a subtly different
question.

> 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24
> 
> Does a packet being routed from em0 to em1 pass through PF twice?
> 
> Would the following example work to only pass ssh connections from 
> 172.31.0.0/24 into 172.31.1.0/41
> 
> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state
> block in log inet from any to any
> block out log inet from any to any

Because of the "keep state" qualifier, PF will build a state entry,
which allows matching packets to be passed, without examining the
rulebase.  So, PF does indeed examine every packet, once when it comes
in an interface, again when the packet goes out the opposite interface,
but because a state table entry matches the packet, it is allowed to
pass without examining the rulebase beyond the first packet.

So, packets are "passed through" PF, but the rulebase is "passed
through" only once for packets matching the rule.

> Or do I have to have the following rules for it to work?
> 
> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state
> pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state

If you were to leave out the "keep state" qualifier, you would need
rules matching the inbound and outbound packets.  I think you would
find, if you go ahead and tried the above, that the second rule never
sees any matches, because the first rule handles them and builds state
which causes the second rule to never be used.

- -- 
David DeSimone == Network Admin == fox at verio.net
  "It took me fifteen years to discover that I had no
   talent for writing, but I couldn't give it up because
   by that time I was too famous.  -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGS2K0FSrKRjX5eCoRApIoAKCbbICHHJ3asueiJHH+ToARLW/kUQCeNveO
HQDMENFXxk8GEsp/hoCWkdY=
=WYco
-----END PGP SIGNATURE-----


More information about the freebsd-pf mailing list