From owner-freebsd-pf@FreeBSD.ORG Wed May 16 20:57:04 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B57AD16A40D for ; Wed, 16 May 2007 20:57:04 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp811.mail.ird.yahoo.com (smtp811.mail.ird.yahoo.com [217.146.188.71]) by mx1.freebsd.org (Postfix) with SMTP id 4427C13C484 for ; Wed, 16 May 2007 20:57:04 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 86226 invoked from network); 16 May 2007 20:30:23 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.150.175 with plain) by smtp811.mail.ird.yahoo.com with SMTP; 16 May 2007 20:30:23 -0000 X-YMail-OSG: pGDADu0VM1lowrShNK._zwe0C5B6kcAcUoz0FYY0SZnPR3WXfXhXWbThbGBwf59YX2DrZffY.9PJeBa3y4l9fBlleCOtdAokMj7NZgDkJYATCpVkkcuNhuktcpqi7BxRIcWmYP2CDAAJgwY- Message-ID: <464B6A29.2020107@tomjudge.com> Date: Wed, 16 May 2007 21:31:37 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: David DeSimone References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> In-Reply-To: <20070516195948.GA22335@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Greg.Hennessy@nviz.net, freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 20:57:04 -0000 David DeSimone wrote: > Tom Judge wrote: >> I have a question about the number of times a packet passes through pf >> on a router. > > The PF subsystem always examines every packet that passes in or out an > interface. For a forwarded packet that means it will be examined twice. > > However, your question seems to be more in regards to whether the packet > gets matched against the rulebase. That is sort of a subtly different > question. > >> 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 >> >> Does a packet being routed from em0 to em1 pass through PF twice? >> >> Would the following example work to only pass ssh connections from >> 172.31.0.0/24 into 172.31.1.0/41 >> >> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state >> block in log inet from any to any >> block out log inet from any to any > > Because of the "keep state" qualifier, PF will build a state entry, > which allows matching packets to be passed, without examining the > rulebase. So, PF does indeed examine every packet, once when it comes > in an interface, again when the packet goes out the opposite interface, > but because a state table entry matches the packet, it is allowed to > pass without examining the rulebase beyond the first packet. > > So, packets are "passed through" PF, but the rulebase is "passed > through" only once for packets matching the rule. > >> Or do I have to have the following rules for it to work? >> >> pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state >> pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > > If you were to leave out the "keep state" qualifier, you would need > rules matching the inbound and outbound packets. I think you would > find, if you go ahead and tried the above, that the second rule never > sees any matches, because the first rule handles them and builds state > which causes the second rule to never be used. > According to the diagram that Greg sent a link to (http://homepage.mac.com/quension/pf/flow.png) state is checked for every interface. However is the state information tied to an interface? 172.31.0.0/24>em0-[Router 1]-|-em1<->em1-|-[Router 2]-em0<172.31.1.0/24 |-em2<->em2-| Assuming that the routes are managed a routing protocol such as ospf and em1 is the normal primary link but when em1 is down em2 should restrict certain traffic. If the state is not tied to an interface then: pass in quick on em0 tcp from 172.31.0.0/21 to 172.31.1.0/24 22 keep state This rule would allow ssh traffic across both em1 and em2. I cant see from the digram if state data is shared how one would block egress ssh traffic on em2 as it would never hit a another rule as the state would cause it to get passed straight away. Where as if there are separate state 'tables' then a second rule for egress traffic on em1 would be required and egress traffic on em2 would get caught by the default block rule. All these rules are assumed to be on Router 1. I would have thought that the state tables would be independent for the ingress and egress interfaces, could someone clarify this please? Thanks Tom