From owner-freebsd-pf@FreeBSD.ORG  Sat Oct 26 23:28:57 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 4EF05FA6
 for <freebsd-pf@freebsd.org>; Sat, 26 Oct 2013 23:28:57 +0000 (UTC)
 (envelope-from vegeta@tuxpowered.net)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com
 [209.85.214.44])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id D7F6F297B
 for <freebsd-pf@freebsd.org>; Sat, 26 Oct 2013 23:28:56 +0000 (UTC)
Received: by mail-bk0-f44.google.com with SMTP id mz10so1302765bkb.3
 for <freebsd-pf@freebsd.org>; Sat, 26 Oct 2013 16:28:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:subject:date:user-agent:references
 :in-reply-to:mime-version:content-type:content-transfer-encoding
 :message-id;
 bh=8RxS7Si9Hving9g5trCx5l5K9wswLtz0OFaAOz6F+Xw=;
 b=PWC77v6udqOUltd5B7MXC1HO/DNZKKH2cQkSkw1vJLPNgj4Y/yW/IEWy6rbwXdNOap
 G1nZIgOSM/bGOnYwAp2T1o5VBLGGhgdcxgGSc+7EMR5e5L2A6lVbWgm1FCFmon2UJk+p
 hY0QpEwJbmZdELvqsh/QyNEZMb+JfQF44NSziGKrRNrBonjnCyYoBpoFUT5JOomi10tb
 APJrtggjok+AKn65sjjR9yj/fbTPDIV9XIpAWEHSrEASD6Xlbm7x0WAAf3ld/6XIfMpc
 TT9fLOwCsQ6AHd+z70OQfKTvp4LPRK2EBZ9XRAcfAjRpepFjJ4rzRRDmpH89DevC8l+w
 4N5A==
X-Gm-Message-State: ALoCoQkLdIh6b1flHKv9zNt9BKJq21Tm0EvwKSMHrkDOkkHU47R95UTi7iI2zUlu6rAQ+cX2SBm/
X-Received: by 10.204.228.198 with SMTP id jf6mr464631bkb.41.1382830128831;
 Sat, 26 Oct 2013 16:28:48 -0700 (PDT)
Received: from zvezda.localnet ([2a02:8108:1440:e1:2677:3ff:fe7b:7648])
 by mx.google.com with ESMTPSA id pn6sm7665356bkb.14.2013.10.26.16.28.48
 for <freebsd-pf@freebsd.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 26 Oct 2013 16:28:48 -0700 (PDT)
From: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To: freebsd-pf@freebsd.org
Subject: Re: PF sanity check
Date: Sun, 27 Oct 2013 01:28:47 +0200
User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; )
References: <CAENR+_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com>
In-Reply-To: <CAENR+_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201310270128.47766.vegeta@tuxpowered.net>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Oct 2013 23:28:57 -0000

Dnia sobota, 26 pa=C5=BAdziernika 2013 o 17:36:14 Rumen Telbizov napisa=C5=
=82(a):

> 1. I use quick rules everywhere. Early on in the ruleset I pass everything
> in and out on the $ext_if no state.

See below.

> ...

> 2. For inter-vlan traffic it will create double states for the pass rules:
> one state on the way the packet coming in on the source vlan interface and
> another out going out of the destination interface allowing the specific
> traffic.
>=20
> The question is: Is keeping two states for one connection a bad thing or =
is
> it an acceptable practice ?

It's rather a requirement. A packet incoming on one interface creates a=20
different state than the same packet outgoing on other interface (even with=
out=20
if-bound state policy). And you want further, reverse direction packets in=
=20
connections to be matched to existing states and passed instead of traversi=
ng=20
rule list or hitting the block rule.

> Here's a reproduction of the ruleset for better understanding:
>=20
> # ignore the $ext_if below

If you want to fully ignore the interface, you can use "set skip" for that=
=20
purpose. Although I'm not sure if NAT will work in such case, should you ne=
ed=20
it. It also would be nice to set skip on the loopback interface.

> pass quick on $ext_if no state

This rule passes the traffic both directions, so it's probably fine. Althou=
gh=20
using stateful inspection would increase security a bit.

> # vlan1
> pass in quick on vlan1   # outgoing state for the internet and other vlans
> pass out quick on vlan1 proto tcp from <trusted> to 10.1.1.1 port 22
> block quick on vlan1 all
>=20
> # vlan2
> pass in quick on vlan2
> pass out quick on vlan2 proto tcp from any to 10.1.2.1 port 80
> block quick on vlan2 all
> ...
>=20
> block quick all
>=20

=20
=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'