Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Feb 2008 06:56:29 -0800
From:      "Kian Mohageri" <kian.mohageri@gmail.com>
To:        "Vadym Chepkov" <vchepkov@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: floating keep state
Message-ID:  <fee88ee40802280656y7b63cd27r78a35e7ac8507e71@mail.gmail.com>
In-Reply-To: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com>
References:  <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <vchepkov@gmail.com> wrote:
>  set block-policy return
>  set state-policy floating
>  pass in log quick proto udp from any to 10.10.10.1 port domain keep state
>  block in log from any to 10.10.11.254
>
>  22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
>  10.10.10.1.53:  45616+[|domain]
>  22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
>  10.10.11.254.32772:  45616*-[|domain]
>

States not only have address/port pairs in them (among other things),
but they also have a direction.

The request packet (coming in on xl1) creates a state that will match
the following:

   10.10.11.254:32772 ==> 10.10.10.1:53  (IN)
   10.10.10.1:53          ==> 10.10.11.254:32772 (OUT)

The same packet is filtered again on xl0, but notice it will not match
this state because its direction is now "out".  As Daniel said, it's
passed anyway because of the implicit pass rule at the end of your
ruleset (by the way this makes it difficult to troubleshoot problems).

Server receives packet and replies:

   10.10.10.1:53 ==> 10.10.11.254:32772 (IN)

Notice this will not match the state created above (direction is IN,
not OUT), and it will also be blocked by your second rule.

-Kian

PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fee88ee40802280656y7b63cd27r78a35e7ac8507e71>