FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules

Mark Pagulayan m.pagulayan at auckland.ac.nz
Thu May 15 02:54:13 UTC 2008 

Hi,

Sorry guys if somehow the information I post in this thread is
incomplete. 

We are using PF from FreeBSD 7.0 and using the rules we used from
openbsd 4.0 PF. With the help of Jeremy chadwick, I found out that
modulate state is broken in FreeBSD PF so I replaced all rules that uses
modulate state to use keep state.

PF runs in bridge mode where one end connects to the Border
Router(connected to the internet) and the other end to a Core
Switch(connected to the University network). Basically with do a layer 2
firewall with PF. 

Unfortunately I can't post all of my rules/attach, But I could for some.
Would this be helpful? 

========================================================================
===
set limit states 150000
 set timeout tcp.first 120
 set timeout tcp.established 86400
 set timeout { adaptive.start 90000, adaptive.end 250000}
 
 ext_if = "em1"
 int_if = "em0"
 
 set loginterface $ext_if
 wireless_allowed_tcp = "{515}"
 blocked_udp = "{7, 67, 68, 69, 111, 134><140, 199, 445, 512, 513, 520,
1993, 2049, 1900, 5000}"
 blocked_tcp_in = "{7, 11, 15, 67, 68, 87, 111,  134><140, 144,  199,
445, 511><516, 1025, 1993, 1900, 2049, 2766, 5000, 5999><6100}"
 blocked_tcp_out = "{7, 11, 15, 67, 68, 87, 111,  134><140, 144,  199,
445, 511><516,  1993, 1900, 2049, 2766, 5000, 6000}"
 
 scrub in on $ext_if
 
 altq on $ext_if cbq bandwidth 200Mb queue { default, unlimited,
sponsored, premium, proxy, standard }
 altq on $int_if cbq bandwidth 800Mb queue { default, unlimited,
sponsored, premium, proxy, standard }
 queue default on $ext_if bandwidth 67% cbq(default)
 queue default on $int_if bandwidth 67% cbq(default)
 queue unlimited on $ext_if bandwidth 15% cbq(borrow ecn)
 queue unlimited on $int_if bandwidth 15% cbq(borrow ecn)
 queue sponsored on $ext_if bandwidth 9% cbq(borrow ecn)
 queue sponsored on $int_if bandwidth 9% cbq(borrow ecn)
 queue premium on $ext_if bandwidth 7% cbq(borrow ecn)
 queue premium on $int_if bandwidth 7% cbq(borrow ecn)
 queue standard on $ext_if bandwidth 2% priority 4 cbq(red)
 queue standard on $int_if bandwidth 2% priority 4 cbq(red)
 
 pass in log quick on $int_if
 pass out log quick on $int_if
 
 block in log on $ext_if all
 block return out log on $ext_if all

 pass quick on $ext_if proto ospf
 pass quick on $ext_if proto igmp allow-opts
 pass quick on $ext_if proto pim allow-opts
 pass in quick on $ext_if proto udp from any to 224.0.0.0/4 allow-opts
keep state
 pass in quick on $ext_if from any to 224.0.0.0/4 allow-opts keep state

 pass in quick log on $ext_if from <dmz_router> to any keep state
 pass out quick log on $ext_if from any to <dmz_router> keep state

 pass in quick on $ext_if from any to <wide_open>  flags S/SA keep state
 pass out quick on $ext_if from <wide_open> to any keep state
 pass out on $ext_if  inet proto icmp all icmp-type echoreq keep state
 pass in  on $ext_if inet proto icmp from any to <ping> icmp-type
echoreq keep state
 pass in quick on $ext_if proto tcp from <wireless_uoa> to any port
$wireless_allowed_tcp
 
 block in quick log on $ext_if proto udp from any to any port
$blocked_udp
 block out  quick log on $ext_if proto udp from any to any port
$blocked_udp
 block in quick log on $ext_if proto tcp from any to any port
$blocked_tcp_in
 block out quick log on $ext_if proto tcp from any to any port
$blocked_tcp_out
 
 pass in  quick on $ext_if proto tcp from any to {<tcp-25-in>,
<firewall>} port=25 flags S/SA keep state
 pass out quick on $ext_if proto tcp from {<tcp-25-out>, <firewall>} to
any port=25  keep state
 pass out  quick on $ext_if proto tcp from <tcp-53-out> to any port=53
keep state
 pass out  quick on $ext_if proto udp from <udp-53-out> to any port=53
keep state
 pass in  quick on $ext_if  from any to <firewall> flags S/SA keep state
 pass out quick on $ext_if  from <firewall> to any keep state
 block out quick log on $ext_if proto tcp from any to any port=53
 block out quick log on $ext_if proto udp from any to any port=53
 block in log quick on $ext_if proto tcp from any to any port=25
 block out quick log on $ext_if proto tcp from any to any port=25
 block out quick on $ext_if from  <no_netaccount> to any
 pass out quick on $ext_if from  <external>  to any keep state
 pass out quick on $ext_if from  <unlimited>  to any keep state queue
unlimited
 pass out quick on $ext_if from  <sponsored> to any keep state queue
sponsored
 pass out quick on $ext_if from <premium> to any keep state queue
premium
 pass out quick on $ext_if from <standard> to any keep state queue
standard
 pass in quick on $ext_if from any to <svr-out> flags S/SA keep state
  
========================================================================
====

And checking on the state-mismatch

[mpag016 at fw3 /home/mpag016]# sudo pfctl -si | grep state-mis
  state-mismatch                     12179            3.9/s

Also, I want to understand the value that "pfctl -si" command outputs,
can someone point me in the right direction?

Cheers, 

Mark
-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org]
On Behalf Of Tom Uffner
Sent: Thursday, 15 May 2008 1:26 p.m.
To: freebsd-pf at freebsd.org
Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules

Mark Pagulayan wrote:
> I am using bridge pf:
> 
> I only allow pass all on my internal interface. So there is no other
> rule for that interface. How do I know that states are mismatched for
> both internal and external? 

could you post your full ruleset and a quick description of your net
topology? then maybe someone can identify the most likely sources of
your state mismatches.
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list