keeping state on outgoing connections fails (?)
Jon Radel
jon at radel.com
Wed Sep 3 13:43:10 UTC 2008
Guido van Rooij wrote:
>
> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>
> ep0: 1.2.3.4/24
> bge0: 10.0.0.1/24
>
> ruleset (made as simple as possible):
> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
> block drop out log quick on ep0 all
> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>
> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
> and passes because of rule 1.
> Then the packet goes out via bge0, is passed via rule 3 and a satte entry is
> created.
>
> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>
> Then the packet should be sent out via ep0, but it is blocked, as pflogd shows:
And does the problem go away when you put a "keep state" at the end of
line 1?
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080903/5ab0d7ab/smime.bin
More information about the freebsd-pf
mailing list