Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Nov 2007 20:43:22 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-net@freebsd.org
Cc:        Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no>
Subject:   Re: pf misfeature
Message-ID:  <200711082043.31664.max@love2party.net>
In-Reply-To: <86zlxoblmj.fsf@ds4.des.no>
References:  <86zlxoblmj.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart4037246.dFbJLhBaAX
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 08 November 2007, Dag-Erling Sm=C3=B8rgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd expect the
> following rule to simply pass all traffic originating from and destined
> for the LAN:
>
>   pass on $eth from $lan to $lan
>
> However, in pf, "keep state" is *implicit* (why?), so you'd expect it
> to turn into something like this:
>
>   pass on $eth from $lan to $lan keep state
>
> but what you actually get is this:
>
>   pass on $eth from $lan to $lan flags S/SA keep state
>
> which only matches TCP handshakes, so your UDP streams are screwed.

I don't think this is true.  It will match any protocol, but if it is tcp=20
it will make sure it's the initial SYN.  This is necessary in order to=20
have the state tracking work with window scaling etc.

In my quick testing, icmp and udp both match the expanded rule.

> Workaround: explicitly specify TCP and UDP, causing pf to split the
> rule into two:
>
>   pass on $eth inet proto { tcp, udp } from $lan to $lan
>
> becomes
>
>   pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
>   pass on $eth inet proto udp from $lan to $lan keep state
>
> There does not seem to be any way to turn off this misguided rewriting
> of firewall rules.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart4037246.dFbJLhBaAX
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQBHM2bjXyyEoT62BG0RAtPzAJ9LXUs7iBmmOwpu9z0SPVlx9sqGXwCaAreA
Xgi5RouXTetQd1Z3z7V6dk4=
=C2aX
-----END PGP SIGNATURE-----

--nextPart4037246.dFbJLhBaAX--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711082043.31664.max>