Date: Thu, 28 Feb 2008 10:12:21 -0500 From: "Vadym Chepkov" <vchepkov@gmail.com> To: "Kian Mohageri" <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state Message-ID: <002701c87a1c$51a9bad0$050a0a0a@chepkov.lan> References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> <fee88ee40802280656y7b63cd27r78a35e7ac8507e71@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It was not my intention to argue with anybody, I was trying to understand why the packet was blocked and reply to Daniel got bounced, so I posted it in the distro. I got it now, IN packet state doesn't match IN packets, only OUT. Thank you. Vadym ----- Original Message ----- From: "Kian Mohageri" <kian.mohageri@gmail.com> To: "Vadym Chepkov" <vchepkov@gmail.com> Cc: <freebsd-pf@freebsd.org> Sent: Thursday, February 28, 2008 9:56 AM Subject: Re: floating keep state > On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <vchepkov@gmail.com> wrote: >> set block-policy return >> set state-policy floating >> pass in log quick proto udp from any to 10.10.10.1 port domain keep >> state >> block in log from any to 10.10.11.254 >> >> 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > >> 10.10.10.1.53: 45616+[|domain] >> 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > >> 10.10.11.254.32772: 45616*-[|domain] >> > > States not only have address/port pairs in them (among other things), > but they also have a direction. > > The request packet (coming in on xl1) creates a state that will match > the following: > > 10.10.11.254:32772 ==> 10.10.10.1:53 (IN) > 10.10.10.1:53 ==> 10.10.11.254:32772 (OUT) > > The same packet is filtered again on xl0, but notice it will not match > this state because its direction is now "out". As Daniel said, it's > passed anyway because of the implicit pass rule at the end of your > ruleset (by the way this makes it difficult to troubleshoot problems). > > Server receives packet and replies: > > 10.10.10.1:53 ==> 10.10.11.254:32772 (IN) > > Notice this will not match the state created above (direction is IN, > not OUT), and it will also be blocked by your second rule. > > -Kian > > PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c87a1c$51a9bad0$050a0a0a>