From owner-freebsd-pf@FreeBSD.ORG Thu Feb 28 15:22:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE65E106566B for ; Thu, 28 Feb 2008 15:22:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by mx1.freebsd.org (Postfix) with ESMTP id 5BC1B8FC20 for ; Thu, 28 Feb 2008 15:22:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so3772626wxd.7 for ; Thu, 28 Feb 2008 07:22:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=sOp5+c1eM3mhiRo0d8H0gLIHwSJ9alhzi8FfjXcNbP0=; b=gTEdGSoaqQd+eXE4oy0cSOqQPwgWni/NKkRAnfRCFWxZcZCHdJ1g7iuFYh/LsQF9dB4DRqxvSSXsiS5LI+usfaDkXAlftwJAU5OniUtPD2f4XG4k4yV1cvz/PtI20bRlRU+eBKUsqQQgO6vKdfrqtd4puHgw4YZcrktwP/xywv0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hLEjQPI55f1k0ezbH7+bxbCbDb4w6b2LKIhTbx3eH9SxzU6mvD9Y4vOxgsjj/ZOmJyu+gn30GBrYaYA1d6+i/c2l+06GBBhLo4l+trMqA4e4L1H0Yo5NtTC4IH1vG4svYplIaQFFaGnubuc0CmwcU7nAPALkGLHpRmdxQGgzcmA= Received: by 10.65.139.9 with SMTP id r9mr14753585qbn.71.1204210589486; Thu, 28 Feb 2008 06:56:29 -0800 (PST) Received: by 10.65.116.4 with HTTP; Thu, 28 Feb 2008 06:56:29 -0800 (PST) Message-ID: Date: Thu, 28 Feb 2008 06:56:29 -0800 From: "Kian Mohageri" To: "Vadym Chepkov" In-Reply-To: <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com> <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: floating keep state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2008 15:22:49 -0000 On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov wrote: > set block-policy return > set state-policy floating > pass in log quick proto udp from any to 10.10.10.1 port domain keep state > block in log from any to 10.10.11.254 > > 22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 > > 10.10.10.1.53: 45616+[|domain] > 22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 > > 10.10.11.254.32772: 45616*-[|domain] > States not only have address/port pairs in them (among other things), but they also have a direction. The request packet (coming in on xl1) creates a state that will match the following: 10.10.11.254:32772 ==> 10.10.10.1:53 (IN) 10.10.10.1:53 ==> 10.10.11.254:32772 (OUT) The same packet is filtered again on xl0, but notice it will not match this state because its direction is now "out". As Daniel said, it's passed anyway because of the implicit pass rule at the end of your ruleset (by the way this makes it difficult to troubleshoot problems). Server receives packet and replies: 10.10.10.1:53 ==> 10.10.11.254:32772 (IN) Notice this will not match the state created above (direction is IN, not OUT), and it will also be blocked by your second rule. -Kian PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)