From owner-freebsd-questions@FreeBSD.ORG Fri Jul 16 20:58:50 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30C4E106567B for ; Fri, 16 Jul 2010 20:58:50 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id A8BDE8FC15 for ; Fri, 16 Jul 2010 20:58:49 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o6GKwdSJ034999 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 16 Jul 2010 21:58:39 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C40C7F7.4080005@infracaninophile.co.uk> Date: Fri, 16 Jul 2010 21:58:31 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: Mario Lobo References: <201007161722.04902.mlobo@digiart.art.br> In-Reply-To: <201007161722.04902.mlobo@digiart.art.br> X-Enigmail-Version: 1.1.1 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigEF9421326E85AAC63E7685E0" X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-questions Subject: Re: pf behavior question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 20:58:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEF9421326E85AAC63E7685E0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 16/07/2010 18:22:04, Mario Lobo wrote: > Hi; >=20 > System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 B= RT 2010=20 > i386 >=20 > The question is about how pf acts on an specific situation. >=20 > Supose I have the following rules: >=20 >=20 > pass in log inet proto tcp from $int_if to any port 8021 =20 > flags S/SA keep state tag test >=20 > rule 2 .... > rule 3 ..... > . > rule n .... >=20 > pass in log quick on $int_if inet proto tcp tagged test keep state queu= e (ftp) >=20 >=20 > Suppose the packet matches the first rule. >=20 > According to what I red about pf, it will keep parsing the rules (no "q= uick"=20 > on the first rule). When it reaches the last rule, the tag will match a= nd the=20 > packet will pass. >=20 > I don't believe I'll have 2 state table entries for the same packet aft= er the=20 > last rule matches. or will I?=20 >=20 > What is the proper way to use the tag created on the first rule, as far= as the =20 > state table is concerned? Correct, essentially. No, you won't end up with two entries in the state table from this -- it's only the last matching rule that causes the state table to be modified. In fact, you simply can't have two state table entries for the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple, because those six quantities are together used as the index into the state table. (Note: i/f is usually 'all' unless you've 'set state-policy if-bound' or equivalent, so generating state on one interface allows a packet to pass on any interface.) You don't get much from using tagging in the case you show -- as you've only got one rule to apply tags you might as well have let that been the place where you decided to pass or block the packet. Tagging is a lot more useful where you need several different rules to identify a particular class of traffic: you can apply the tag from several different matching rules, and then have just one rule to express your policy for that class of traffic. See the example in http://www.openbsd.org/faq/pf/tagging.html which gives a pretty good idea how it all works. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigEF9421326E85AAC63E7685E0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxAx/8ACgkQ8Mjk52CukIz1nQCeOyuoAL2rtwfa1Rhcp48IObv9 Mv4An0b/NmtZy44JM6qKzdfuBncH6Ib7 =v6Fc -----END PGP SIGNATURE----- --------------enigEF9421326E85AAC63E7685E0--