Date: Wed, 03 Sep 2008 14:42:11 -0400 From: Jon Radel <jon@radel.com> To: Max Laier <max@love2party.net> Cc: Guido van Rooij <guido@gvr.org>, freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <48BEDA83.80600@radel.com> In-Reply-To: <200809032025.11619.max@love2party.net> References: <20080903110943.GA25396@gvr.gvr.org> <200809032025.11619.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Max Laier wrote:
> On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote:
>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>
>> ep0: 1.2.3.4/24
>> bge0: 10.0.0.1/24
>>
>> ruleset (made as simple as possible):
>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
>> block drop out log quick on ep0 all
>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>
>> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
>> and passes because of rule 1.
>> Then the packet goes out via bge0, is passed via rule 3 and a satte entry
>> is created.
>>
>> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>>
>> Then the packet should be sent out via ep0, but it is blocked, as pflogd
>> shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 >
>
> There is no state entry and no rule that would allow traffic to be sent out
> via ep0. You either have to create state on ep0 or you must allow traffic on
> ep0 in both directions. I think the ruleset you are looking for is something
> along the lines of:
>
> block drop all
>
> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
> pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA
>
The OP didn't like that answer when I gave it to him. Maybe you've
managed to provide a more felicitous wording. ;-)
--Jon Radel
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
�� 100\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)00\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)0?0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
*H
��0�Ħ<UsUNʙZ
hup
[v
:aQP
0cZ,p+Z?qV˯<
6$*+w=+>@dקe*TH<a@
dr`�00U
0�0CU
<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0
U
0)U
"0
0
10UPrivateLabel2-1380
*H
��HP
.
fgCL!6 -6/
P p<ab:~�
t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$
F]_eO1d0`0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0 +�0 *H
1
*H
0
*H
1
080903184211Z0# *H
1L'*4�tJ
"\ 0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71x0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
1xv0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
��`+%
9@q'*7s܅A^BUt+v`pe1x\ eP1,RU wGKi+#|i�L88v?L8*'I0~2jdxmzWvx;
k,
kg2*+
"t
=Yx1ig)tGi/LE6R7Ʋ松|
,'AKlBP5j~*"lʖL湗a������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BEDA83.80600>