From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 06:31:08 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A07A01065670 for ; Thu, 28 Feb 2008 06:31:08 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3BCFA8FC15 for ; Thu, 28 Feb 2008 06:31:07 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id m1S6V6uV032729 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2008 07:31:06 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id m1S6V6Wm016316; Thu, 28 Feb 2008 07:31:06 +0100 (MET) Date: Thu, 28 Feb 2008 07:31:06 +0100 From: Daniel Hartmeier To: Vadym Chepkov Message-ID: <20080228063105.GC32592@insomnia.benzedrine.cx> References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 06:31:08 -0000 On Wed, Feb 27, 2008 at 11:02:08PM -0500, Vadym Chepkov wrote: > My question is, why the reply packet was blocked? It seems you're misunderstanding what 'floating state' means. It does NOT mean "allow connection on all interfaces". If a connection traverses two interfaces, you need to allow it on both, creating two two separate state entries (one incoming, one outgoing). The 'floating' would come into play if you had more than two interfaces, and the same connection would traverse all three of them, due to dynamic routing. Without dynamic routing, you can pretty much forget about floating states, they do nothing. The first problem in your ruleset is that it does not block by default. Instead, the packet goes out through xl0 based on the implicit pass rule and does not create a second state. When the reply comes back in on xl0, there is no matching state (the first one created on xl1 does NOT match, as direction is reversed), and no pass rule matches on that interface in this direction. Hence the block. Add a default block, add a 'pass out ... keep state' rule, and it will work. You probably thought floating states would do that, but they don't. Daniel