FreeBSD Mail Archives

Date:      Wed, 03 Sep 2008 14:49:25 -0400
From:      Jon Radel <jon@radel.com>
To:        Peter Wullinger <peter.wullinger@googlemail.com>
Cc:        Guido van Rooij <guido@gvr.org>, freebsd-pf@freebsd.org
Subject:   Re: keeping state on outgoing connections fails (?)
Message-ID:  <48BEDC35.3050802@radel.com>
In-Reply-To: <20080903161759.GA2761@kaliope.home>
References:  <20080903110943.GA25396@gvr.gvr.org>	<20080903152632.GA89687@icarus.home.lan> <20080903161759.GA2761@kaliope.home>


[-- Attachment #1 --]
Peter Wullinger wrote:
> I'll reply to Jeremy, since his answer somehow confused me. 
> 
> In epistula a Jeremy Chadwick, die horaque Wed Sep  3 17:26:32 2008:
>> On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote:
>>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>>
>>> ep0: 1.2.3.4/24
>>> bge0: 10.0.0.1/24
>>>
>>> ruleset (made as simple as possible):
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
> 
> At little bit of guessing led me to the (possible, I have not tested
> this) culprit: Is your state-policy set to "floating" or "if-bound"?
> 
> From a casual look at the log entries and traffic snapshots you have sent, 
> this seems to be pf working in "if-bound" mode. In this case, the
> created state table entry matches incoming on bge0, but not on
> outgoing on ep0 any more (packets pass through pf twice, as expected).
> 
> This still maybe a bug, but it's common to rule out all possible
> culprits before spreading blame.
> 

My understanding is that "if-bound" would have an effect on this
scenario if the OP, for example, had two interfaces on the same "side"
of the firewall, say bge0 and bge1, and packets for a connection that
was originally established by a packet outbound on bge0 might cross on
either bge0 or bge1 traveling in the same direction with respect to the
FreeBSD router with the configuration.

In this case we're talking about packets that are traveling in one
direction with respect to the router on bge0 and the other direction on
ep0, so you'd need separate state entries no matter what you've done
with if-bound.

--Jon Radel


[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	10��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0	+���0	*�H��
	1	*�H��
0	*�H��
	1
080903184925Z0#	*�H��
	1Ȕ�����^�.,r*���&0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0
	*�H��
�gɻ�վ�nt	F����x���U�d�d!p�o���Ζ�@����F/sir�z\q��!�������� �,E�P�D!�`������W�}BZG���z;�7�E ��	/M���M˶��Y�ޤ�N㥿�Ա��h{�t��q�Ş���G���(er
�����<�39_�&c�eY�Xz5P�����?,<�}�^c��z^a�X�m[vgltP���)�w|k���I��)P1�*�|����M��G��P�B#5���

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BEDC35.3050802>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation