From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 16:29:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD6E916A56E for ; Tue, 27 Jun 2006 16:29:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B11144A75 for ; Tue, 27 Jun 2006 16:11:05 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k5RGB4lA023546 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 27 Jun 2006 18:11:04 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k5RGB3Vx010682; Tue, 27 Jun 2006 18:11:03 +0200 (MEST) Date: Tue, 27 Jun 2006 18:11:02 +0200 From: Daniel Hartmeier To: "N. Ersen SISECI" Message-ID: <20060627161102.GF14502@insomnia.benzedrine.cx> References: <44A1396C.7040708@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44A1396C.7040708@gmail.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 16:29:38 -0000 On Tue, Jun 27, 2006 at 04:58:04PM +0300, N. Ersen SISECI wrote: > For pf a solution we come up with: > > pass in quick ... port 22 ... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > pass in quick .... keep state tag XYZ > .... > .... > #last rules > block in all > > #let everything out with a new state entry > pass out all keep tagged XYZ Yes, that'll work fine. > Is there another way to securely let everything "pass through" firewall? > without having to write another rule for outgoing packets. We have > hundreds of rules on our gateway, and it is quite difficult to dublicate > rules and keep track of incoming interface as well as the outgoing > interface... One common approach is to only filter incoming packets, and to let everything pass out from the firewall. This covers all forwarded traffic: anything leaving the firewall must first have passed in (and has, therefore, been checked). It does not cover connections originating from the firewall itself. But often, you either don't run any processes on the firewall (that need to connect out), or you trust those implicitely. Another common case is three (or more) legged firewall, where you have strict policies about what interface a type of connection may enter and where it may and may not leave (e.g. in on if1, out on if2, but never out on if3), i.e. you don't trust the routing table (which might be dynamically updated). In this case, you DO need per-interface rules, and they are not really duplicates. Tagging helps in this case, too (you'd tag passed incoming packets so they'd be allowed out on a specific other interface). I guess it boils down to whether you a) trust all processes on the firewall b) trust the routing table on the firewall Daniel