From owner-freebsd-pf@FreeBSD.ORG Wed May 16 19:59:53 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B03A516A404 for ; Wed, 16 May 2007 19:59:53 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 87EB513C469 for ; Wed, 16 May 2007 19:59:53 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HoPf4-0006Oi-1A for freebsd-pf@freebsd.org; Wed, 16 May 2007 19:59:50 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HoPf3-0002OJ-TF for freebsd-pf@freebsd.org; Wed, 16 May 2007 19:59:49 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 23F038E131; Wed, 16 May 2007 14:59:49 -0500 (CDT) Date: Wed, 16 May 2007 14:59:49 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070516195948.GA22335@verio.net> References: <464B487C.1050301@tomjudge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <464B487C.1050301@tomjudge.com> User-Agent: Mutt/1.5.9i Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 19:59:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge wrote: > > I have a question about the number of times a packet passes through pf > on a router. The PF subsystem always examines every packet that passes in or out an interface. For a forwarded packet that means it will be examined twice. However, your question seems to be more in regards to whether the packet gets matched against the rulebase. That is sort of a subtly different question. > 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 > > Does a packet being routed from em0 to em1 pass through PF twice? > > Would the following example work to only pass ssh connections from > 172.31.0.0/24 into 172.31.1.0/41 > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > block in log inet from any to any > block out log inet from any to any Because of the "keep state" qualifier, PF will build a state entry, which allows matching packets to be passed, without examining the rulebase. So, PF does indeed examine every packet, once when it comes in an interface, again when the packet goes out the opposite interface, but because a state table entry matches the packet, it is allowed to pass without examining the rulebase beyond the first packet. So, packets are "passed through" PF, but the rulebase is "passed through" only once for packets matching the rule. > Or do I have to have the following rules for it to work? > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state If you were to leave out the "keep state" qualifier, you would need rules matching the inbound and outbound packets. I think you would find, if you go ahead and tried the above, that the second rule never sees any matches, because the first rule handles them and builds state which causes the second rule to never be used. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS2K0FSrKRjX5eCoRApIoAKCbbICHHJ3asueiJHH+ToARLW/kUQCeNveO HQDMENFXxk8GEsp/hoCWkdY= =WYco -----END PGP SIGNATURE-----