From owner-freebsd-pf@freebsd.org Mon Dec 2 14:18:15 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4C18F1AB253 for ; Mon, 2 Dec 2019 14:18:15 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47RRzV1tRYz3PXp for ; Mon, 2 Dec 2019 14:18:13 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x541.google.com with SMTP id cx19so24564591edb.1 for ; Mon, 02 Dec 2019 06:18:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=EuTDDtSFN/GsQ4fE+Yu5fkC7XK+xoeXdr0idnPGnMY8=; b=Z0PRoWhGdRdEi3d0QiD1po0x2vrt7/cb7wrzMZkmLx/1d1vRu/acMYhgX170nMRWjv ffz+KLNFQ73D4eCi3BCAHJtePSvBHRWkGPkhUASVmTbtcRGoyHS5DEsTAMQh1c0FmZT4 K0FlENb/OToF5VpPeeWdmgzxQ6I4CpH0RODfWzqigyYdFh1IaputFAMl2JOxt91ft6vq GvrOkOWUe8fOCFuWVVRuAWRzun9ti7yeO6jdw0x1g2HhshXNvX4qdPQSe5McedNnYF/K 6wRp8ufUx76nvLug0+7dmlFtjoOFsH9/BBo5rnCFdMBuF0/xgluxtq4F7ShZ0mcRBG/s FeZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=EuTDDtSFN/GsQ4fE+Yu5fkC7XK+xoeXdr0idnPGnMY8=; b=HRpNDrTJy9XIKgSikGLUI0zNv2Xz+vMX646M10SNxLvSIezmBd0aa7FX/vcdHwKh7L d6l+LPu7VKOTHghzw/NUkc08BNXa+SceQljaoF8GKI0FIJ4nPAO8kMSKZXIo30ruO8l9 0cLhYg1z6lT8X2dD5WpMG0CxjRvXHicHeo2fG8BMTgHZj/UqXbdjmXsaEEkaxA7gwk7C iGulv9obfcg2I4H9YYccEzVU0sE9FCKvJ/V71RUVYIWeSf/IVmO9UmuSIKwMi8w5NrU6 /J5bdimgMWjzL86TOH6VA14q6Sr0QKfyb1XnGPDJ+2hLDeDLSeyJ0zE+ntNgoIMdDri8 NPjA== X-Gm-Message-State: APjAAAUs5+TPLLjX7HiD6J/ooVh81beCq43oEDLDSqOWu6z9mcKWHOiV ahh7jrkdSQJH+MILNOgTBF/E8pd64sA= X-Google-Smtp-Source: APXvYqxkVlGM1oz6ajxCr/AHb28OcQECcYi15C2waC52YxpI6Kco6DKUBlh4XdP6AMjPPK87uA0JDg== X-Received: by 2002:a05:6402:1d2d:: with SMTP id dh13mr10410004edb.128.1575296291669; Mon, 02 Dec 2019 06:18:11 -0800 (PST) Received: from Proton.local ([2a00:1f78:fffb:1000:a5c3:87f2:2105:a730]) by smtp.gmail.com with ESMTPSA id i14sm1540774edk.65.2019.12.02.06.18.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Dec 2019 06:18:10 -0800 (PST) Subject: Re: pf's states To: freebsd-pf@freebsd.org References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> From: Kajetan Staszkiewicz Openpgp: preference=signencrypt Autocrypt: addr=vegeta@tuxpowered.net; keydata= mQGiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVoKA9c9Az6 e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZHzmmgVJMOg93lJUQ e9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQfnXRAMr4tFxhsFenxa/JCvFME AK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgVkNd6gTLMgSQpKbFytLzAAmRsE+EwVpBo sUzKt4vzmW4bllgPao14TyuVcViah27/da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuK ofwc1A6KucNxhv4rG7RsXuhwZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwts leIxJ3JdHaTZ9aIrYT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r 8ctqtAlcfzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oLQsS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD6IewQTEQIAOwYLCQgHAwIDFQID AxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJcD656BQkbAXUJAAoJEOO0 UK9tezoUnsIAoK89eXWiO7x3gkfC+5mDXNnRx6ioAKCy4NE/0s8vTDA/P3yYJ2r6orDDNLkB DQRC71cpEAQAjXEOKfj9O4eYTWcifEApMYzel9+aWmhNRqqUhJuNO40UDF73biRJ0cjd8miV hZGxcqIdjnZUmxn8Okr+ta7ZU4Q2KNw7B23VKd1jzDKalaUGtCbv8pnvFdBCJwwzdhHJ2vxr e7zkGMrU4x5Od/92YZRCgX229Ic8y7muveQty4sAAwYD/A/FKDQkIu16GVOu9g8ZBLLBi1HS h2eiem/efmfZS1APR7Q5Ouf6KJMeEgBCKY9yqEp9wg97Bt93oi3zP0H1I8rLmrj5hoEE/VEj Cc4XSQ3qrthmQ9bE8fPDZIgodPG1h+dlOzDQoUxKM/YZdbKmV8VkegbAmEng9rJk90gJ+7Qt iGMEGBEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXDcogwUJGzo2agAKCRDjtFCvbXs6 FNsqAJ9naj/37JF2c1HjhO/4xosKOtGX/QCgn5ADg8fykMSnWmIR0GO/xq9LEzs= Message-ID: <9c221ef5-e300-378b-1db8-6de18e652000@tuxpowered.net> Date: Mon, 2 Dec 2019 15:18:08 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd" X-Rspamd-Queue-Id: 47RRzV1tRYz3PXp X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=Z0PRoWhG; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::541 as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-5.54 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[tuxpowered.net]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[1.4.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-0.94)[ip: (-0.02), ipnet: 2a00:1450::/32(-2.69), asn: 15169(-1.94), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2019 14:18:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd Content-Type: multipart/mixed; boundary="i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Message-ID: <9c221ef5-e300-378b-1db8-6de18e652000@tuxpowered.net> Subject: Re: pf's states References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> In-Reply-To: <1c3f3105-86c4-e61a-7d81-f4d794773542@viklenko.net> --i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 02.12.19 11:23, Artem Viklenko via freebsd-pf wrote: > Hi! >=20 > Check current state-policy - if-bound or floating. > If it if-bound, out rules needed. If floating - state should pass > traffic in reverse direction. That's not true. Created pf states will always match bidirectional traffic. State-bound means that finding existing state of incoming packet is done not by normal TCP/IP quadruple but also incoming interface is checked. Floating is useful when you have a router and given TCP session can move from one uplink to another. Packets will still match connection established before. Interface-bound is useful if you have traffic passing twice via the same router, two ways. For example you run pf on a douter and one host behind the router wants to talk to another host behind the same router, but traffic is not routed by this router itself but always sent to another router. In this case packet incoming from originating host would be indistinguishable from packed bounced back by upstream router if not for interface being added to state key. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --i4J4Z9vQTq29AfnI3s6TdQ8sXLPfVP3G3-- --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXeUdIAAKCRDjtFCvbXs6 FFokAJ4s7W8McXIPDVDjkKmiPfFYZ6IdigCeLgElAB3MvoaOx648G/tTuHRBlEs= =KP5C -----END PGP SIGNATURE----- --h3nJttgxjvwz9GeQGvURhVmshlkWT3HOd--