keeping state on outgoing connections fails (?)
Max Laier
max at love2party.net
Wed Sep 3 18:25:13 UTC 2008
On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote:
> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>
> ep0: 1.2.3.4/24
> bge0: 10.0.0.1/24
>
> ruleset (made as simple as possible):
> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
> block drop out log quick on ep0 all
> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>
> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
> and passes because of rule 1.
> Then the packet goes out via bge0, is passed via rule 3 and a satte entry
> is created.
>
> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>
> Then the packet should be sent out via ep0, but it is blocked, as pflogd
> shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 >
There is no state entry and no rule that would allow traffic to be sent out
via ep0. You either have to create state on ep0 or you must allow traffic on
ep0 in both directions. I think the ruleset you are looking for is something
along the lines of:
block drop all
pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list