pf's states
Victor Sudakov
vas at sibptus.ru
Tue Dec 3 06:44:29 UTC 2019
Here is some output from the real lab (the hosts fw.test, inside.test
and dmz.test are all FreeBSD VMs now). Any comments? Why does the state in
the second case look so odd?
root at fw:~ # cat /etc/rc.conf.local
hostname="fw.test"
ifconfig_vtnet0="DHCP description Outside"
ifconfig_vtnet1="172.16.1.1/24 description DMZ"
ifconfig_vtnet2="192.168.10.1/24 description Inside"
pf_enable="YES"
gateway_enable="YES"
root at fw:~ # pfctl -s rules
pass in on vtnet1 all flags S/SA keep state
pass in on vtnet2 all flags S/SA keep state
root at fw:~ # pfctl -s states
all tcp 172.16.1.10:22 <- 192.168.10.3:41985 ESTABLISHED:ESTABLISHED
root at fw:~ #
root at inside:~ # telnet dmz.test 22
Trying 172.16.1.10...
Connected to dmz.test.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.5 FreeBSD-20170903
=============================================================
================ and here we enable the "block ..." rule ====
=============================================================
root at fw:~ # pfctl -s rules
pass in on vtnet1 all flags S/SA keep state
block drop in on vtnet1 inet from any to 192.168.0.0/16
pass in on vtnet2 all flags S/SA keep state
root at fw:~ #
root at fw:~ # pfctl -s states
all tcp 172.16.1.10:22 <- 192.168.10.3:50565 CLOSED:SYN_SENT
root at fw:~ #
root at inside:~ # telnet dmz.test 22
Trying 172.16.1.10...
telnet: connect to address 172.16.1.10: Operation timed out
telnet: Unable to connect to remote host
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191203/2b1dd61d/attachment.sig>
More information about the freebsd-pf
mailing list