PF and State Table

Mark Pagulayan m.pagulayan at auckland.ac.nz
Wed Apr 2 20:33:57 UTC 2008 

Hi, 

What pf version are you using? Correct me if I am wrong guys, on PF4.1
which a the release version of pf on freebsd 7.0 when you specify keep
state the flag S/A is implied? 

Cheers, 

Mark

-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org]
On Behalf Of Diego Salvador
Sent: Wednesday, 2 April 2008 10:54 p.m.
To: fox at verio.net
Cc: freebsd-pf at freebsd.org
Subject: Re: PF and State Table


Sir David,

So you mean to say that it is really required for pf rules to specify
TCP 
flags when used with keep state? Because this seems to relate my 
previous problem with PF firewall that will cause a problem in browsing
Google and Youtube web sites with Windows Vista nodes behind PF. Example

rules for the node are

pass in on $ext_if inet from any to 192.168.100.1 
pass out on $ext_if inet from 192.168.100.1 to any keep state 

where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF
firewall. As you
can see the above rules, I didn't specify any specific protocols like
TCP, UDP 
and ICMP so TCP here just use the "keep state" option without flags.
Google and 
Youtube sites seem to not continue displaying web pages but I can see
that the 
connection were established with the Windows Vista node with Google and
Youtube 
sites.

Yes, that's what I'm looking for, the file where I can analyze PF state
table 
in the source code.

Thanks,

Diego Salvador





>
> This is somewhat risky, because you really don't want to waste a state
> entry on something that's half-way in the middle of a TCP session
> (well, I suppose you could, but it seems insecure.

It's more than just insecure; it can cause breakage of TCP connections,
especially in a world where RFC 1323 is commonplace (i.e. today's
world).

If PF starts tracking state from the middle of a connection, it has
missed out on discovering what TCP window scaling factors are in use. 
If there happens to be no scaling in use, it works fine, but if a scale
factor is being applied, PF will not track the state correctly, and the
connection will stall out.

> > What file in PF on FreeBSD kernel does state table structure is
> > located?
> 
> I don't understand this question.

I think the question is asking for details on how PF state is stored in
memory.  I found a very nice struct pf_state in
/usr/include/net/pfvar.h.

       
---------------------------------
 Tired of spam? Yahoo! Mail has the best spam protection around
 http://ph.mail.yahoo.com
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list