Date: Wed, 3 Sep 2008 18:17:59 +0200 From: Peter Wullinger <peter.wullinger@googlemail.com> To: Jeremy Chadwick <koitsu@FreeBSD.org> Cc: Guido van Rooij <guido@gvr.org>, freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <20080903161759.GA2761@kaliope.home> In-Reply-To: <20080903152632.GA89687@icarus.home.lan> References: <20080903110943.GA25396@gvr.gvr.org> <20080903152632.GA89687@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
I'll reply to Jeremy, since his answer somehow confused me. In epistula a Jeremy Chadwick, die horaque Wed Sep 3 17:26:32 2008: > On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote: > > > > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > > > ep0: 1.2.3.4/24 > > bge0: 10.0.0.1/24 > > > > ruleset (made as simple as possible): > > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > > block drop out log quick on ep0 all > > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state At little bit of guessing led me to the (possible, I have not tested this) culprit: Is your state-policy set to "floating" or "if-bound"? >From a casual look at the log entries and traffic snapshots you have sent, this seems to be pf working in "if-bound" mode. In this case, the created state table entry matches incoming on bge0, but not on outgoing on ep0 any more (packets pass through pf twice, as expected). This still maybe a bug, but it's common to rule out all possible culprits before spreading blame. In epistula a Jeremy Chadwick, die horaque Wed Sep 3 17:26:32 2008: > I'm a bit confused by these rules and your network configuration. > Rule #1 allows any packet with a source address of 1.2.3.1, arriving on > the ep0 interface, destined to 10.0.0.2. How exactly are packets > arriving on ep0 (which is bound to 1.2.3.0/24) with a destination of > 10.0.0.2 in the first place? That seems strange. Is your gateway on > your network blindly forwarding packets between networks or something? > Or is this FreeBSD box acting *as* a gateway? It seems to be a gateway, forwarding packets. What exactly do you find strange? Have I missed something? Peter -- Listening was an art, he had developed over the years. Because if you listened long and hard enough, people would tell you more, they thought they knew. -- Terry Pratchett, Thief Of Time
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903161759.GA2761>