Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Jul 2014 23:12:22 +0200
From:      Kajetan Staszkiewicz <vegeta@tuxpowered.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: "keep state" does not work
Message-ID:  <201407062312.32278.vegeta@tuxpowered.net>
In-Reply-To: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com>
References:  <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart9897757.EjLNeSPrvJ
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dnia wtorek, 1 lipca 2014 o 14:40:47 Spenst, Aleksej napisa=C5=82(a):
> Hi All,
>=20
> I have a problem that when I use the rules with "keep state" my use case
> does not work. When I use two rules "pass out" and "pass in" (instead of
> one "pass out" rule with keep state) then everything works.
>=20
> These rules work fine:
>=20
> pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236
> pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self)

When displaying states, add -v. You will see which rule really created them.

You should need only one of those rules. Judging from where port number is=
=20
specified, I guess that it is (self) creating connections to hosts in=20
172.16.222/24. In that case you should only need "out" rule. Each new TCP=20
connection should then create a state and next packets in those connections=
=20
should be passed by matching a state instead of being pushed down firewall =
rule=20
list.

One more thing, such passing rules in fact are created with requirement for=
 TCP=20
flags to be SYN or SYN+ACK. This means that when you first start pf, existi=
ng=20
TCP sessions will not match those rules at all and will not create new stat=
es.
=20
> Now, instead of these two rules I write the following rule with "keep
> state" and it does not work:
>=20
> pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236
> keep state
=20
> The strange thing is that in this case I don't see any blocked packets in
> logs!

You have presented just one (or two) lines of firewall. If there is nothing=
=20
else, there is no blocking. If there are more rules, presenting your whole=
=20
firewall will greatly help to investigate the issue.

> I also see that the state "self -> 172.16.222/24 port 7236" always
> exists.

Just a moment ago you've said that "it does not work". Now you say that sta=
tes=20
are created. Those statements are quite opposing eachother.
=20
> Does anyone have experience that "keep state" does not work as expected f=
or
> some reason?

Broken tcp packets, asymetric routing (usually fixed with sloppy tracking),=
=20
change of routing when pf is already running (fixed with sloppy + flags=3D=
=3Dany=20
but this costs you security), finally some bugs in pf. But probably not in =
this=20
case.

=2D-=20
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

--nextPart9897757.EjLNeSPrvJ
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEABECAAYFAlO5u7YACgkQ47RQr217OhTUZQCgsj2wiRaMDLW0vbonk7XA9v9f
AVsAoPHh9fvz+mzZuC8s7gyVHJcnqcmf
=xgcO
-----END PGP SIGNATURE-----

--nextPart9897757.EjLNeSPrvJ--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407062312.32278.vegeta>