floating keep state
Vadym Chepkov
vchepkov at gmail.com
Thu Feb 28 15:12:15 UTC 2008
It was not my intention to argue with anybody, I was trying to understand
why the packet was blocked and reply to Daniel got bounced, so I posted it
in the distro. I got it now, IN packet state doesn't match IN packets, only
OUT. Thank you.
Vadym
----- Original Message -----
From: "Kian Mohageri" <kian.mohageri at gmail.com>
To: "Vadym Chepkov" <vchepkov at gmail.com>
Cc: <freebsd-pf at freebsd.org>
Sent: Thursday, February 28, 2008 9:56 AM
Subject: Re: floating keep state
> On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <vchepkov at gmail.com> wrote:
>> set block-policy return
>> set state-policy floating
>> pass in log quick proto udp from any to 10.10.10.1 port domain keep
>> state
>> block in log from any to 10.10.11.254
>>
>> 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
>> 10.10.10.1.53: 45616+[|domain]
>> 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
>> 10.10.11.254.32772: 45616*-[|domain]
>>
>
> States not only have address/port pairs in them (among other things),
> but they also have a direction.
>
> The request packet (coming in on xl1) creates a state that will match
> the following:
>
> 10.10.11.254:32772 ==> 10.10.10.1:53 (IN)
> 10.10.10.1:53 ==> 10.10.11.254:32772 (OUT)
>
> The same packet is filtered again on xl0, but notice it will not match
> this state because its direction is now "out". As Daniel said, it's
> passed anyway because of the implicit pass rule at the end of your
> ruleset (by the way this makes it difficult to troubleshoot problems).
>
> Server receives packet and replies:
>
> 10.10.10.1:53 ==> 10.10.11.254:32772 (IN)
>
> Notice this will not match the state created above (direction is IN,
> not OUT), and it will also be blocked by your second rule.
>
> -Kian
>
> PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)
More information about the freebsd-pf
mailing list