PF and State Table

[Jeremy Chadwick]

On Wed, Apr 02, 2008 at 02:53:57AM -0700, Diego Salvador wrote:
> pass out on $ext_if inet from 192.168.100.1 to any keep state 

This rule is going to break the things David mentioned; RFC1323 (window
size negotiation) for example.  You're going to be creating a new state
table entry for every outbound packet (TCP, UDP, ICMP), and for TCP,
regardless of what TCP state.

Also, ensure that you don't have any rules **below** that rule which
might override the behaviour (you're not using "quick" on that rule).

Otherwise: you should use flags S/SA on that statement, but that adds
ambiguity in regards to UDP and ICMP.

Thus, I'd recommend you use this instead (you can remove "inet" unless
you really want to limit to IPv4 packets):

pass out quick on $ext_if inet proto tcp all flags S/SA keep state
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp all keep state

> where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you
> can see the above rules, I didn't specify any specific protocols like TCP, UDP 
> and ICMP so TCP here just use the "keep state" option without flags. Google and 
> Youtube sites seem to not continue displaying web pages but I can see that the 
> connection were established with the Windows Vista node with Google and Youtube 
> sites.

And I bet you have a large number of state-mismatch entries in pfctl -s
info, which are likely caused by the above problem.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |