Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Dec 2019 21:38:54 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-net@freebsd.org
Subject:   Re: pf, stateful filter and DMZ
Message-ID:  <20191201143854.GB71897@admin.sibptus.ru>
In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru>
References:  <20191121151041.GA93735@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--JP+T4n/bALQSJXh8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

There is still one thing I cannot understand about pf's notion of state.=20

Consider this very simple example:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# DMZ 172.16.1.0/24
pass in on $dmz
#block in on $dmz from any to 192.168.0.0/16

# Inside 192.168.10.0/24
pass in on $inside
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

While the "block ..." line is commented out, I can "telnet 172.16.1.10 80" =
=66rom 192.168.10.3.
But when I uncomment the "block ..." line and restart pf, I cannot do
that any more. Why is that?

My idea was that the "pass in on $inside" creates state so that return
traffic from 172.16.1.10:80 to 192.168.10.3:52447 should be permitted, but =
this
is not happening. Why?


--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--JP+T4n/bALQSJXh8
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJd49B9AAoJEA2k8lmbXsY09xIIALfflyuAVTSM+v5j9Rs7xv7p
zLgHB1KNvTFvhmJ6tF9BgaTGjZGxJdRk0ttkGsg4Rr3Q+LM0VEHAhZlkZmUuHLvw
Apz4jbMRC7nH3o1xTDrAY5yAqf+acovnVUJM1qUkh++AnDu0yAtHIh9AFpn10InI
G0MJisRG+s/RE4N+yA84JW4ke60tAoQfRLHPl9iwCw/ErTPPn5L+Toc+XJnnnWME
Vc8YvF7Tz9Gb+ZkzfEaSBKu9cVseBf1cJ+BAZPdX3mjl6RuTcosIv5SSHeX7t1Uw
BfFs9yjxd9b1ZtJvogO/R3HwE5KWfnl2DlHevb8Ne0uDgACQQK+yvE9BXsNs8PM=
=u8bh
-----END PGP SIGNATURE-----

--JP+T4n/bALQSJXh8--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191201143854.GB71897>