From owner-freebsd-pf@freebsd.org Tue Dec 3 06:44:29 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B13D61CA6AF for ; Tue, 3 Dec 2019 06:44:29 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47RssS3G4qz3y7r for ; Tue, 3 Dec 2019 06:44:28 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=QgOQ1RzacY7SFuonmyS7F5/bkT/kUuu5CIpMBZQCen0=; b=DzR5D7Q5vx6+DGGff+M8B78qJF q+I06BT22LKXuNkIt2Y8RR8ybwsw/FhigvT/pLdtDP5jGyD3Dm/H1UX3plt4ccuIy5ywEH/03TJV2 1IP0/HY4sSJi9+445EIr/mxp7g+XHgUMKEiypZiEiov+RVyY7PeV7IIAIbN2whl9S+yI=; Received: from vas by admin.sibptus.ru with local (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1ic1v9-0009vf-3n for freebsd-pf@freebsd.org; Tue, 03 Dec 2019 13:44:27 +0700 Date: Tue, 3 Dec 2019 13:44:27 +0700 From: Victor Sudakov To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203064427.GA36581@admin.sibptus.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.12.2 (2019-09-21) X-Rspamd-Queue-Id: 47RssS3G4qz3y7r X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=DzR5D7Q5; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.46 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.36)[ip: (-9.87), ipnet: 2001:19f0:5000::/38(-4.93), asn: 20473(-1.96), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2019 06:44:29 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Here is some output from the real lab (the hosts fw.test, inside.test and dmz.test are all FreeBSD VMs now). Any comments? Why does the state in the second case look so odd? root@fw:~ # cat /etc/rc.conf.local hostname=3D"fw.test" ifconfig_vtnet0=3D"DHCP description Outside" ifconfig_vtnet1=3D"172.16.1.1/24 description DMZ" ifconfig_vtnet2=3D"192.168.10.1/24 description Inside" pf_enable=3D"YES" gateway_enable=3D"YES" root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:41985 ESTABLISHED:ESTABLISHED root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... Connected to dmz.test. Escape character is '^]'. SSH-2.0-OpenSSH_7.5 FreeBSD-20170903 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D and here we enable the "bl= ock ..." rule =3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state root@fw:~ # root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:50565 CLOSED:SYN_SENT root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... telnet: connect to address 172.16.1.10: Operation timed out telnet: Unable to connect to remote host --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5gRLAAoJEA2k8lmbXsY01wEH/RM9StGVwgg4nJChApPY63IE J6r13h0fL85uDE+oFM/5AQtkaX7PQa4Rqb6TMozV0eV60skFlvX0Fyzio3svurWj f/r2hQtgQKkgNdGv93qVxNuATKzmOM8RzF4l/cPu0sS+N5iOMXvmSNxQpObFyw5e HG8OFwMqpuJ8Zhrzir03JSch/wc0AVkDYkCAtAb7nJvu4A3pOB073Hv48g3PnRr4 1COanDOlJ9IsAwpL8hqZqOx6mkb9cl1bbN99ta5p+x+BlHaIu0bJ5iO3jyzH32dU ST1/hi9asUoZSH8AasGIMcLGzhjzkzh/D5F5eVGr5fQaszGLt52K1gF1dZV680E= =E2+n -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--