pf + ipv6 + keep state - any known issues?
Peter Schuller
peter.schuller at infidyne.com
Tue Sep 26 10:35:23 PDT 2006
> Are you using antispoofing rules on your external interface? If you've got
> something like this in your ruleset:
>
> antispoof log quick for $ext_if
>
> Then it will expand into a series of rules containing the following when
> you load them:
Thank you for responding!
No, this is not the issue. I *am* performing antispoof on my physical
interface, but not on the tunnel interface.
After some further investigation my current theory is that I have run into the
trouble with pf and a packet traversing an interface twice.
Having a 'keep state' on the *incoming* direction results in a state entry
according to pfctl. But no state entry for the 'keep state' in the outgoing
direction.
The result being that while packets coming into port 22 are allowed and state
set up, but the responding packets (to some random source port) are NOT
allowed because the outgoing direction yielded no state entry.
I am not sure what the behavior is supposed to be with a packet traversing the
same interface twice, except I have seen references to the effect of "don't
be stupid, don't do that, get another NIC" (for the typical firewall/gateway
case). Except in this case that does not apply, even if you agree with the
sentiment to begin with.
Can anyone confirm or deny whether "double" traversal *IS* supposed to work
without difficulties/special cases on current versions of pf/FreeBSD?
Thanks!
--
/ Peter Schuller, InfiDyne Technologies HB
PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller at infidyne.com>'
Key retrieval: Send an E-Mail to getpgpkey at scode.org
E-Mail: peter.schuller at infidyne.com Web: http://www.scode.org
More information about the freebsd-questions
mailing list