keeping state on outgoing connections fails (?)
Jon Radel
jon at radel.com
Wed Sep 3 18:42:25 UTC 2008
Max Laier wrote:
> On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote:
>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>
>> ep0: 1.2.3.4/24
>> bge0: 10.0.0.1/24
>>
>> ruleset (made as simple as possible):
>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
>> block drop out log quick on ep0 all
>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>
>> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
>> and passes because of rule 1.
>> Then the packet goes out via bge0, is passed via rule 3 and a satte entry
>> is created.
>>
>> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>>
>> Then the packet should be sent out via ep0, but it is blocked, as pflogd
>> shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 >
>
> There is no state entry and no rule that would allow traffic to be sent out
> via ep0. You either have to create state on ep0 or you must allow traffic on
> ep0 in both directions. I think the ruleset you are looking for is something
> along the lines of:
>
> block drop all
>
> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
> pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
>
The OP didn't like that answer when I gave it to him. Maybe you've
managed to provide a more felicitous wording. ;-)
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080903/fdfa2fa5/smime.bin
More information about the freebsd-pf
mailing list