From owner-freebsd-net@freebsd.org  Fri Apr  7 07:48:08 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81361D31C97
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri,  7 Apr 2017 07:48:08 +0000 (UTC) (envelope-from nbe@renzel.net)
Received: from nijmegen.renzel.net (mx1.renzel.net [195.243.213.130])
 by mx1.freebsd.org (Postfix) with ESMTP id 472A6FA9
 for <freebsd-net@freebsd.org>; Fri,  7 Apr 2017 07:48:07 +0000 (UTC)
 (envelope-from nbe@renzel.net)
X-Virus-Scanned: GDATA Antivirus at gdata-milter.renzel.de.isb
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=7.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=ham version=3.3.2
Received: from dublin.vkf.isb.de.renzel.net (unknown [10.0.0.80])
 by nijmegen.renzel.net (smtpd) with ESMTP id 3E60D1414807
 for <freebsd-net@freebsd.org>; Fri,  7 Apr 2017 09:47:58 +0200 (CEST)
Received: from asbach.renzel.net (unknown [172.18.96.1])
 by dublin.vkf.isb.de.renzel.net (Postfix) with ESMTPA id 37E1A81314
 for <freebsd-net@freebsd.org>; Fri,  7 Apr 2017 09:47:58 +0200 (CEST)
From: Nils Beyer <nbe@renzel.net>
Subject: Re: [PF] Symmetric routing enforcement, how-to without using
 "reply-to"...
To: freebsd-net@freebsd.org
References: <4956261.2DO1X0b8Gd@asbach.renzel.net>
 <CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC+338=bvQ@mail.gmail.com>
Message-ID: <da74ee12-6d70-37a8-0e5a-d3cd4cf39ddd@renzel.net>
Date: Fri, 7 Apr 2017 09:47:58 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC+338=bvQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on nijmegen.renzel.net
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 07:48:08 -0000

On 04/07/2017 03:40, Takahiro Kurosawa wrote:
> What if you change the line:
> pass in inet proto tcp to port { ssh }
> to:
> pass in inet proto tcp to port { ssh } no state

close, but I had to use the "no state" on the "pass out" rules as well.
Now it looks like that:
-----------------------------------------------------------------------
scrub in all

set skip on lo0

pass in quick inet proto icmp from any to self no state
pass in quick inet proto tcp from any to self port { ssh } no state
block in quick log to self

pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any no state
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any no state
pass out quick from self
-----------------------------------------------------------------------


> Without "no state", the incoming ssh packet generates a pf state entry,
> then the response packets are probably passed by the state instead of
> using "route-to" rules.

that makes absolute sense...



Regards,
Nils