From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 13:58:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F68916A40A for ; Tue, 27 Jun 2006 13:58:23 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB30343D73 for ; Tue, 27 Jun 2006 13:58:14 +0000 (GMT) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id c29so1065396nfb for ; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=Cm3b7lIijT8vwkzmpzY7m5v1UeCfn/QHoPHCnXuo/hcxbKCr3vPpLZsdFAEzA06TdHb+yKrFT9OSkEzHNhWs8w4nZwF/SG+6h+q4fewo4eEVNFqRiFepeCZl6cKcl0ccxlnTnOJP8aSXS61OcVK4SQ13Z3dmf5r5kHXxKfztbBU= Received: by 10.48.232.15 with SMTP id e15mr5618387nfh; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.gmail.com with ESMTP id x1sm1819036nfb.2006.06.27.06.58.13; Tue, 27 Jun 2006 06:58:13 -0700 (PDT) Message-ID: <44A1396C.7040708@gmail.com> Date: Tue, 27 Jun 2006 16:58:04 +0300 From: "N. Ersen SISECI" User-Agent: Mozilla Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Cc: Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 13:58:23 -0000 So we dont have a "keep state" interpretation like ipf etc.... (OK I understand floating option for state table. It is not related with our problem...) What we are looking for is to be able to pass through firewall with one set of rule per allowed traffic like it is used to be in ipf like firewalls. For pf a solution we come up with: pass in quick ... port 22 ... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ pass in quick .... keep state tag XYZ .... .... #last rules block in all #let everything out with a new state entry pass out all keep tagged XYZ Is there another way to securely let everything "pass through" firewall? without having to write another rule for outgoing packets. We have hundreds of rules on our gateway, and it is quite difficult to dublicate rules and keep track of incoming interface as well as the outgoing interface... Thanx for your help N. Ersen SISECI http://www.enderunix.org Daniel Hartmeier yazm?s,: > > On Tue, Jun 27, 2006 at 01:36:52PM +0300, N. Ersen SISECI wrote: > > > > > >> >> My first rule is pass in all with keep state. But the packets do not >> >> seem to be able pass out from the other interface. If i change the last >> >> block's to "pass" everything works fine. It seems that the state table >> >> is always on if-bound'ed??? >> >> >> >> Is there a solution for this problem, or do I miss a configuration with >> >> kernel, pf, pf.conf etc... ??? or is this a bug :) >> >> >> > > > > Neither, your interpretation of 'floating' does not match reality, see > > > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=114372425614238&w=2 > > > > In short, create two state entries per connection. > > > > Daniel > > > > >