Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Mar 2008 17:20:41 +0100
From:      "Dalibor Gudzic" <dalibor.gudzic@gmail.com>
To:        "Jeremy Chadwick" <koitsu@freebsd.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Bacula File/Storage Connection Woes using PF
Message-ID:  <866fa9520803260920s61c09e54v398be6cf0312a90b@mail.gmail.com>
In-Reply-To: <20080326154217.GA87250@eos.sc1.parodius.com>
References:  <9DE6EC5B5CF8C84281AE3D7454376A0D6D0290@cetus.dawnsign.com> <20080326025316.GA68607@eos.sc1.parodius.com> <866fa9520803260802v3686b24dq1ee7aa1cc4b35f75@mail.gmail.com> <20080326154217.GA87250@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Mar 26, 2008 at 4:42 PM, Jeremy Chadwick <koitsu@freebsd.org> wrote:

>
> Now the opposite, where some host on the Internet attempts to connect to
> 4.4.4.4 on port 22:
>
>  somehost -> pfbox      = TCP flags SYN set, ACK not set
>                         = PASS: matches rule #4
>  pfbox    -> somehost   = TCP flags: SYN set, ACK set
>                         = PASS: matches rule #2
>  somehost -> pfbox      = TCP flags SYN not set, ACK set
>                         = PASS: matches rule #4
>
> A state-table entry won't be created for this one, since rule #1
> specifies "flags S/SA" (won't match SYN+ACK both set).
>
> If one was to add "keep state" to rule #4 (RELENG_6), or use RELENG_7
> (where "keep state" is implied) and some host on the Internet attempts
> to connect to 4.4.4.4 on port 22, we should see:
>
>  somehost -> pfbox      = TCP flags SYN set, ACK not set
>                         = PASS: matches rule #4
>                         = pf creates state-table entry for tracking
>  pfbox    -> somehost   = TCP flags: SYN set, ACK set
>                         = PASS: has state-table entry
>  somehost -> pfbox      = TCP flags SYN not set, ACK set
>                         = PASS: has state-table entry
>
> Do we agree?
>
> --
> | Jeremy Chadwick                                    jdc at parodius.com |
> | Parodius Networking                           http://www.parodius.com/ |
> | UNIX Systems Administrator                      Mountain View, CA, USA |
> | Making life hard for others since 1977.                  PGP: 4BD6C0CB |
>
> Seems to be OK now. Sorry, I should have made it more clearer in the
previous message; I meant, and should've said, "SYN-ACK" i.e. the response
packet from host.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?866fa9520803260920s61c09e54v398be6cf0312a90b>