From owner-freebsd-pf@FreeBSD.ORG Wed Sep 3 18:25:13 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4BCA1065BEE for ; Wed, 3 Sep 2008 18:25:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 673BC8FC23 for ; Wed, 3 Sep 2008 18:25:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-063-119.pools.arcor-ip.net [88.66.63.119]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1Kax2W2DG6-0001ja; Wed, 03 Sep 2008 20:25:12 +0200 Received: (qmail 81390 invoked from network); 3 Sep 2008 18:25:12 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by ns1.laiers.local with SMTP; 3 Sep 2008 18:25:12 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 3 Sep 2008 20:25:11 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <20080903110943.GA25396@gvr.gvr.org> In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809032025.11619.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+ADsqNld5sWFG1NmtKex09WH1+8nRFSfx8zg0 HqJnKYSvMHmqvmMQs/srPvLF/btUNTAtxfTujb4kqiKl66GiGj bK9HBqE3w7eYzNE+t3IZg== Cc: Guido van Rooij Subject: Re: keeping state on outgoing connections fails (?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 18:25:13 -0000 On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote: > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > ep0: 1.2.3.4/24 > bge0: 10.0.0.1/24 > > ruleset (made as simple as possible): > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > block drop out log quick on ep0 all > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state > > When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 > and passes because of rule 1. > Then the packet goes out via bge0, is passed via rule 3 and a satte entry > is created. > > The return SYN/ACK comes in via bge0 and passes because of the state entry. > > Then the packet should be sent out via ep0, but it is blocked, as pflogd > shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 > There is no state entry and no rule that would allow traffic to be sent out via ep0. You either have to create state on ep0 or you must allow traffic on ep0 in both directions. I think the ruleset you are looking for is something along the lines of: block drop all pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News