Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Nov 2007 20:43:22 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-net@freebsd.org
Cc:        Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no>
Subject:   Re: pf misfeature
Message-ID:  <200711082043.31664.max@love2party.net>
In-Reply-To: <86zlxoblmj.fsf@ds4.des.no>
References:  <86zlxoblmj.fsf@ds4.des.no>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd expect the
> following rule to simply pass all traffic originating from and destined
> for the LAN:
>
>   pass on $eth from $lan to $lan
>
> However, in pf, "keep state" is *implicit* (why?), so you'd expect it
> to turn into something like this:
>
>   pass on $eth from $lan to $lan keep state
>
> but what you actually get is this:
>
>   pass on $eth from $lan to $lan flags S/SA keep state
>
> which only matches TCP handshakes, so your UDP streams are screwed.

I don't think this is true.  It will match any protocol, but if it is tcp 
it will make sure it's the initial SYN.  This is necessary in order to 
have the state tracking work with window scaling etc.

In my quick testing, icmp and udp both match the expanded rule.

> Workaround: explicitly specify TCP and UDP, causing pf to split the
> rule into two:
>
>   pass on $eth inet proto { tcp, udp } from $lan to $lan
>
> becomes
>
>   pass on $eth inet proto tcp from $lan to $lan flags S/SA keep state
>   pass on $eth inet proto udp from $lan to $lan keep state
>
> There does not seem to be any way to turn off this misguided rewriting
> of firewall rules.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQBHM2bjXyyEoT62BG0RAtPzAJ9LXUs7iBmmOwpu9z0SPVlx9sqGXwCaAreA
Xgi5RouXTetQd1Z3z7V6dk4=
=C2aX
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711082043.31664.max>