From owner-freebsd-pf@FreeBSD.ORG Sun Jul 6 21:12:43 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3D086A6A for ; Sun, 6 Jul 2014 21:12:43 +0000 (UTC) Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C481A261B for ; Sun, 6 Jul 2014 21:12:42 +0000 (UTC) Received: by mail-wi0-f181.google.com with SMTP id n3so5909853wiv.2 for ; Sun, 06 Jul 2014 14:12:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=uAY7/L4+xLLyXmkiByjzNFiuneGlWey8/XaxogkpyxM=; b=T+5HHuQ6w6zQ/D1RCF752AaaPnUVJjMxFuW0BauORW/yPZywGdEaQ0TLZzHb1sfdaz /eVnrh9qQanmYGersTYBiOia6NNZdwgIEb4oPEAUf9rinBHeRbEsHUUkJ9lSOcR0mpSP 2FGgRUTR+90+56ZoBlExw3DHI28AsMm46xGPdBWvp/kwupwPZTGgAhS+x7cnDuU2iSq0 oa938s5TNexb8G34DDqGpqDfsEqxEk9wuLkIKvNGxQyDqvK558CwWgxMF0BKKg52ww5h XRteY3NB/p1AnLTyxpcs1bPRHB5Rn5z33eftaBipTwUVzLnHskWvcywMhFFh9at6cEpR tkTQ== X-Gm-Message-State: ALoCoQkqshcNmbgU0a1kqnCB+U0utRk+6Orc2gQp3NfRBL26/BFaL7JlvLFvofJE3W08xAEUBl0R X-Received: by 10.180.183.131 with SMTP id em3mr71034469wic.56.1404681154396; Sun, 06 Jul 2014 14:12:34 -0700 (PDT) Received: from zvezda.localnet ([2a02:8108:1440:86c::3]) by mx.google.com with ESMTPSA id lk5sm43605213wic.18.2014.07.06.14.12.32 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jul 2014 14:12:33 -0700 (PDT) From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Subject: Re: "keep state" does not work Date: Sun, 6 Jul 2014 23:12:22 +0200 User-Agent: KMail/1.13.7 (Linux/3.10.1; KDE/4.8.4; x86_64; ; ) References: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> In-Reply-To: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9897757.EjLNeSPrvJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201407062312.32278.vegeta@tuxpowered.net> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 21:12:43 -0000 --nextPart9897757.EjLNeSPrvJ Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia wtorek, 1 lipca 2014 o 14:40:47 Spenst, Aleksej napisa=C5=82(a): > Hi All, >=20 > I have a problem that when I use the rules with "keep state" my use case > does not work. When I use two rules "pass out" and "pass in" (instead of > one "pass out" rule with keep state) then everything works. >=20 > These rules work fine: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self) When displaying states, add -v. You will see which rule really created them. You should need only one of those rules. Judging from where port number is= =20 specified, I guess that it is (self) creating connections to hosts in=20 172.16.222/24. In that case you should only need "out" rule. Each new TCP=20 connection should then create a state and next packets in those connections= =20 should be passed by matching a state instead of being pushed down firewall = rule=20 list. One more thing, such passing rules in fact are created with requirement for= TCP=20 flags to be SYN or SYN+ACK. This means that when you first start pf, existi= ng=20 TCP sessions will not match those rules at all and will not create new stat= es. =20 > Now, instead of these two rules I write the following rule with "keep > state" and it does not work: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > keep state =20 > The strange thing is that in this case I don't see any blocked packets in > logs! You have presented just one (or two) lines of firewall. If there is nothing= =20 else, there is no blocking. If there are more rules, presenting your whole= =20 firewall will greatly help to investigate the issue. > I also see that the state "self -> 172.16.222/24 port 7236" always > exists. Just a moment ago you've said that "it does not work". Now you say that sta= tes=20 are created. Those statements are quite opposing eachother. =20 > Does anyone have experience that "keep state" does not work as expected f= or > some reason? Broken tcp packets, asymetric routing (usually fixed with sloppy tracking),= =20 change of routing when pf is already running (fixed with sloppy + flags=3D= =3Dany=20 but this costs you security), finally some bugs in pf. But probably not in = this=20 case. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart9897757.EjLNeSPrvJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlO5u7YACgkQ47RQr217OhTUZQCgsj2wiRaMDLW0vbonk7XA9v9f AVsAoPHh9fvz+mzZuC8s7gyVHJcnqcmf =xgcO -----END PGP SIGNATURE----- --nextPart9897757.EjLNeSPrvJ--