From owner-freebsd-pf@FreeBSD.ORG Wed Sep 3 12:54:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E944106567F for ; Wed, 3 Sep 2008 12:54:08 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 4CE028FC21 for ; Wed, 3 Sep 2008 12:54:08 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 60C9942D823; Wed, 3 Sep 2008 14:54:07 +0200 (CEST) Date: Wed, 3 Sep 2008 14:54:07 +0200 From: Guido van Rooij To: Jon Radel Message-ID: <20080903125407.GA27232@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48BE864C.6000006@radel.com> Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 12:54:08 -0000 On Wed, Sep 03, 2008 at 08:42:52AM -0400, Jon Radel wrote: > Guido van Rooij wrote: > > > > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > > > ep0: 1.2.3.4/24 > > bge0: 10.0.0.1/24 > > > > ruleset (made as simple as possible): > > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > > block drop out log quick on ep0 all > > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state > > > > When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 > > and passes because of rule 1. > > Then the packet goes out via bge0, is passed via rule 3 and a satte entry is > > created. > > > > The return SYN/ACK comes in via bge0 and passes because of the state entry. > > > > Then the packet should be sent out via ep0, but it is blocked, as pflogd shows: > > And does the problem go away when you put a "keep state" at the end of > line 1? > I don't know. Due to the nature of the setup, that is not an option (like I posted in the original mail, this is a very simplistic ruleset; the real life situation will be a 5-interface setup with a lot more complexity. Being able to set state on outgoing packets is crucial). I did test the folowing ruleset: pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state block drop out log quick on ep0 all pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 And there it works, but doesn't solve my problem unfrotunately. -Guido