PF and State Table
Diego Salvador
salvador_d13 at yahoo.com.ph
Wed Apr 2 09:53:59 UTC 2008
Sir David,
So you mean to say that it is really required for pf rules to specify TCP
flags when used with keep state? Because this seems to relate my
previous problem with PF firewall that will cause a problem in browsing
Google and Youtube web sites with Windows Vista nodes behind PF. Example
rules for the node are
pass in on $ext_if inet from any to 192.168.100.1
pass out on $ext_if inet from 192.168.100.1 to any keep state
where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you
can see the above rules, I didn't specify any specific protocols like TCP, UDP
and ICMP so TCP here just use the "keep state" option without flags. Google and
Youtube sites seem to not continue displaying web pages but I can see that the
connection were established with the Windows Vista node with Google and Youtube
sites.
Yes, that's what I'm looking for, the file where I can analyze PF state table
in the source code.
Thanks,
Diego Salvador
>
> This is somewhat risky, because you really don't want to waste a state
> entry on something that's half-way in the middle of a TCP session
> (well, I suppose you could, but it seems insecure.
It's more than just insecure; it can cause breakage of TCP connections,
especially in a world where RFC 1323 is commonplace (i.e. today's world).
If PF starts tracking state from the middle of a connection, it has
missed out on discovering what TCP window scaling factors are in use.
If there happens to be no scaling in use, it works fine, but if a scale
factor is being applied, PF will not track the state correctly, and the
connection will stall out.
> > What file in PF on FreeBSD kernel does state table structure is
> > located?
>
> I don't understand this question.
I think the question is asking for details on how PF state is stored in
memory. I found a very nice struct pf_state in /usr/include/net/pfvar.h.
---------------------------------
Tired of spam? Yahoo! Mail has the best spam protection around
http://ph.mail.yahoo.com
More information about the freebsd-pf
mailing list