Date: Tue, 26 Sep 2006 19:35:08 +0200 From: Peter Schuller <peter.schuller@infidyne.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: pf + ipv6 + keep state - any known issues? Message-ID: <200609261935.09003.peter.schuller@infidyne.com> In-Reply-To: <45164C0C.5010406@infracaninophile.co.uk> References: <200609240036.12322.peter.schuller@infidyne.com> <45164C0C.5010406@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> Are you using antispoofing rules on your external interface? If you've got > something like this in your ruleset: > > antispoof log quick for $ext_if > > Then it will expand into a series of rules containing the following when > you load them: Thank you for responding! No, this is not the issue. I *am* performing antispoof on my physical interface, but not on the tunnel interface. After some further investigation my current theory is that I have run into the trouble with pf and a packet traversing an interface twice. Having a 'keep state' on the *incoming* direction results in a state entry according to pfctl. But no state entry for the 'keep state' in the outgoing direction. The result being that while packets coming into port 22 are allowed and state set up, but the responding packets (to some random source port) are NOT allowed because the outgoing direction yielded no state entry. I am not sure what the behavior is supposed to be with a packet traversing the same interface twice, except I have seen references to the effect of "don't be stupid, don't do that, get another NIC" (for the typical firewall/gateway case). Except in this case that does not apply, even if you agree with the sentiment to begin with. Can anyone confirm or deny whether "double" traversal *IS* supposed to work without difficulties/special cases on current versions of pf/FreeBSD? Thanks! -- / Peter Schuller, InfiDyne Technologies HB PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>' Key retrieval: Send an E-Mail to getpgpkey@scode.org E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609261935.09003.peter.schuller>