From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 19:49:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D4ED16A420 for ; Thu, 26 Jan 2006 19:49:07 +0000 (GMT) (envelope-from kian@restek.wwu.edu) Received: from kulshan.restek.wwu.edu (kulshan.restek.wwu.edu [66.165.10.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA3443D46 for ; Thu, 26 Jan 2006 19:49:06 +0000 (GMT) (envelope-from kian@restek.wwu.edu) Received: (qmail 53416 invoked from network); 26 Jan 2006 19:49:04 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on kulshan.restek.wwu.edu X-Spam-Level: X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.1.0 Received: from unknown (HELO [192.168.1.101]) (kian@[66.165.24.109]) (envelope-sender ) by kulshan.restek.wwu.edu (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 26 Jan 2006 19:49:04 -0000 Message-ID: <43D92788.3030001@restek.wwu.edu> Date: Thu, 26 Jan 2006 11:48:24 -0800 From: Kian Mohageri User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051226) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.93.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4D612F5ABF45CE419C654C18" Subject: stateful rulesets with PF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 19:49:07 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4D612F5ABF45CE419C654C18 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I've read a bit about how keeping state works with PF and written rulesets which look logical to me, but present some problems intermittently. I believe it has to do with the creation of state entries, and how PF judges what to do in any case. > pass in quick on em0 from to port any port = 3306 keep state As I understood it, because I did not specify any flags such as S/SA, pf will be able to pass packets starting mid-session (how or if it does this is where I'm unclear). I'm also unclear about how it will ever judge whether or not to drop packets from to port 3306. Generally this rule (or a similar one) would work fine, however I run into problems occasionally in which a client is unable to bypass the firewall to connect to 3306 (mysql) on this server. I notice it mostly with PHP scripts which constantly query the database server. My initial thought was to check the number of entries in the state table which I figured might have been full, but it was nowhere near full. Are there times when stateful rules cause problems like this? It seems like "flags S/SA keep state" should work just fine, which it *usually* does...but thought I'd ask the experts anyway since I'm seeing problems. Thanks, Kian -- Kian Mohageri ResTek, Western Washington University kian@restek.wwu.edu --------------enig4D612F5ABF45CE419C654C18 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD2SeMfLazdIP7nIMRAjGpAJ9v7ZYBGLqOjVJEoEbjeBXS9eDlDwCeLrek jzpOFTZvOElhz9qu5K5uuGk= =+A8i -----END PGP SIGNATURE----- --------------enig4D612F5ABF45CE419C654C18--