keeping state on outgoing connections fails (?)

Jon Radel jon at radel.com
Wed Sep 3 14:13:25 UTC 2008 

Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote:
>>> I did test the folowing ruleset:
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2
>>>
>>> And there it works, but doesn't solve my problem unfrotunately.
>> And why doesn't it solve your problem?
>>
>> You really are going to have to either keep state on ep0 or allow
>> everything that's legal in "pass out on ep0" statements.
>>
>> For example:
>>
>> block all
>> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2
>> pass out on ep0 inet from 10.0.0.2 to 1.2.3.1
>> pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>
> 
> And why is that so? This bascially rules out keep state on outgouing packets
> on any router-type system. That seems like an unnecessary limitation.

What?  If you want state, turn it on:

block all
pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state

should work fine also.  Other things being equal (in other words, your
mileage may vary....), that is both more secure and more efficient than
the first rule set I offered as an example.  I sent the first one only
because you insisted that your real rule set for 5 interfaces would not
allow you to maintain state on ep0 (or its equivalent).

You still haven't given us any hints as to why the solution which
maintains state on all interfaces is impossible for you.

> 
> I have not yet heart any reason why this is the case. pf was modelled
> after ipf, so I wonder why this change in state handling was introduced.

This is probably the wrong list if you want to have people justify
design decisions.

--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080903/756dbd77/smime.bin

More information about the freebsd-pf mailing list