packet filter does not keep state
Erik Norgaard
norgaard at math.ku.dk
Wed Apr 2 14:20:58 UTC 2008
Hi,
I have a problem connecting from one local subnet to another
crossing an FBSD box with pf. Should be trivial, I have the
following ruleset:
<snip>
# Local services accessible from wlan
block in log on $wlan_if inet from $wlan_net to <local_net>
pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
<local_net> port $local_tcp flags S/SA keep state
pass in log quick on $wlan_if inet proto udp from $wlan_net to \
<local_net> port $local_udp keep state
pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
<local_net> icmp-type $local_icmp keep state
block in log quick on $wlan_if inet from $wlan_net to <local_net>
block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
keep state
block out log quick on $srv_if
</snip>
<local_net> is a table of the directly attached local networks, I
try to connect from my wireless to a wired lan.
But, tcpdump on pflog0 shows this:
000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 >
192.168.0.254.80: [|tcp]
000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 >
192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20]
Evidently, the packet is matched by the correct pass in rule, yet
no state is created and it is subsequently blocked by the block
out rule.
I can add a pass out rule to get through, but that shouldn't be
the correct solution, why does pf not keep state?
Thanks, Erik
More information about the freebsd-questions
mailing list