pf's states
Victor Sudakov
vas at sibptus.ru
Tue Dec 3 03:49:06 UTC 2019
Morgan Wesström wrote:
> >>> ===================================
> >>> # DMZ 172.16.1.0/24
> >>> pass in on $dmz
> >>> #block in on $dmz from any to 192.168.0.0/16
> >>>
> >>> # Inside 192.168.10.0/24
> >>> pass in on $inside
> >>> ===================================
> >>>
> >>> While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" from 192.168.10.3.
> >>
> >> Rule 1 does not match this packet
> >> Rule 3 matches said packet, action is PASS
>
> The pass directive creates a state when only SYN is set out of SYN and
> ACK as per the manual page. It does NOT create a state when both SYN and
> ACK is set simultaneously as in your initial reply from the telnet
> server.
Do you mean to say that a state checks not only address:port pairs, but
also TCP flags? This is a new notion for me. What would be a "pass" rule
to create a "catch all" state with no regard for TCP flags?
> Afaik a pass rule only creates state on the interface it
> monitors.
I'm afraid this is an incorrect assumption.
> I did not recreate your setup to check this though. But this
> is what should happen:
>
> With rule 2 remarked:
>
> - Your initial telnet SYN will create state on $inside through rule 3.
> - There should be no state created on $dmz.
I'm afraid this is an incorrect assumption. According to man pf.conf, by
default "state-policy=floating" and state is not bound to interfaces.
The output of "pfctl -s state" does not indicate any interfaces either,
just protocols, addresses and ports.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191203/98ce434d/attachment.sig>
More information about the freebsd-pf
mailing list