From owner-freebsd-pf@FreeBSD.ORG Wed May 7 22:20:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CA7F1065679 for ; Wed, 7 May 2008 22:20:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1B98FC16 for ; Wed, 7 May 2008 22:20:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-050-061.pools.arcor-ip.net [88.66.50.61]) by mrelayeu.kundenserver.de (node=mrelayeu2) with ESMTP (Nemesis) id 0MKwtQ-1JtrzS0GzY-0004LL; Thu, 08 May 2008 00:20:00 +0200 Received: (qmail 81556 invoked from network); 7 May 2008 22:18:26 -0000 Received: from myhost.laiers.local (192.168.4.151) by laiers.local with SMTP; 7 May 2008 22:18:26 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 8 May 2008 00:15:27 +0200 User-Agent: KMail/1.9.9 References: <004f01c8b068$89c89350$9d59b9f0$@com> In-Reply-To: <004f01c8b068$89c89350$9d59b9f0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805080015.27191.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18oA8AVPM/b64p39/njxMZiSuTJZDNmcPuUuQF KdqXNvDgYN9IjPl/W4PVwwch+EIBXCvtkdpCW51PILpD4/vHFX h9yf7LOISyvMu6yBWyzeA== Cc: Subject: Re: UDP weirdness X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 22:20:02 -0000 On Wednesday 07 May 2008 19:34:00 Ansar Mohammed wrote: > I have a very simple configuration yet I am bemused as to what I am > doing wrong. > > > Windows 2003 <- FreeBSD-PF -> Windows 2003 > 192.168.3.2 192.168.3.1 192.168.2.2 192.168.2.130 > Here are my rules > > > ext_if="le0" > int_if="le1" > int_net="192.168.3.0/24" > ext_net="192.168.2.0/24" > int_addr="192.168.3.1" > ext_addr="192.168.2.2" > scrub on $ext_if all reassemble tcp > scrub on $int_if all reassemble tcp > block in log all > pass in proto icmp from any to any > pass in proto udp from any to any port 53 > pass in on $ext_if inet proto tcp from any to any port 3389 > > > DNS traffic is allowed though but the return packet gets blocked. Can > anyone explain why? > This is true on ALL UDP traffic TCP traffic works well > > Pflog message: > > 065276 rule 0/0(match): block in on le1: 192.168.3.2.53 > > 192.168.2.130.3837: [|domain] Here is what happend: 1) You sent a DNS request from 192.168.2.130:3837 to 192.168.3.2:53 this passes on le0 (which I assume is the interface on 192.168.2.0/24) because of the "pass in ... to any port 53" (because the packet is indeed destined to any port 53). This creates a state: le0 IN 192.168.2.130:3837->192.168.3.2:53 2) You forward the packet and it leaves le1 in out direction. This passes because you don't block outgoing packets at all. It doesn't create state either. 3) The server replies from 192.168.3.2:53 to 192.168.2.130:3837 this is blocked on le1 because there is no rule to allow it and the state created above does *NOT* match! Why doesn't it match the state? A state "le0 IN 192.168.2.130:3837->192.168.3.2:53" will match: IN 192.168.2.130:3837->192.168.3.2:53 and OUT 192.168.3.2:53->192.168.2.130:3837 but not IN 192.168.3.2:53->192.168.2.130:3837 if state-policy is set to floating, the interface doesn't matter, but the direction does! This is a FAQ! -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News