From owner-freebsd-pf@FreeBSD.ORG Wed Sep 3 18:23:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B9C51065924 for ; Wed, 3 Sep 2008 18:23:03 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 059AE8FC19 for ; Wed, 3 Sep 2008 18:23:02 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id EA5CB42D821; Wed, 3 Sep 2008 20:23:01 +0200 (CEST) Date: Wed, 3 Sep 2008 20:23:01 +0200 From: Guido van Rooij To: Peter Wullinger Message-ID: <20080903182301.GA31792@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org> <20080903152632.GA89687@icarus.home.lan> <20080903161759.GA2761@kaliope.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080903161759.GA2761@kaliope.home> Cc: Jeremy Chadwick , freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 18:23:03 -0000 On Wed, Sep 03, 2008 at 06:17:59PM +0200, Peter Wullinger wrote: > > At little bit of guessing led me to the (possible, I have not tested > this) culprit: Is your state-policy set to "floating" or "if-bound"? I tyried both, but there is no difference. > > >From a casual look at the log entries and traffic snapshots you have sent, > this seems to be pf working in "if-bound" mode. In this case, the > created state table entry matches incoming on bge0, but not on > outgoing on ep0 any more (packets pass through pf twice, as expected). > > This still maybe a bug, but it's common to rule out all possible > culprits before spreading blame. > True, but as state is created on the outbound interface for the first packet (bge), there is no corresponding incoming interface yet. At least with ipf, the return packet would first match the recorded outgoing interface (bge). Then it follows the gateway's internal routing. When it then goes out and passes through the firewall-code, it notices it does not yet know the interface (ep0) and records it in the state entry and passes it. This makes perfect sense: when the original packet would have arrived at a different interface than bge0, there must have been some kind of spoofing and should have been blocked in the first place. -Guido