Date: Mon, 19 Jun 2006 14:01:46 +0800 From: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" Message-ID: <44963DCA.8030800@infoweapons.com> In-Reply-To: <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com> References: <44960900.4000406@infoweapons.com> <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
i have nat function enabled, also tried enabling rdr and binat. are you
saying the "keep state" functionality depends on these 3?
here's my pf config file:
#
# Aliases
#
loopback = "{ lo0 }"
lan = "{ em0 }"
wan = "{ vr0 }"
#statistics
set loginterface em0
set loginterface vr0
#optimize packets
set optimization normal
#normalize outgoing packets IP ID field
scrub log on vr0 all random-id fragment reassemble
#
# NAT on WAN interface (dont use IF alias for on the fly changes)
#
nat on $wan from 20.0.0.0/8 to any -> (vr0)
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# for ssh from 10.3.1.41 to 10.10.0.161
pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22
pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41
# tcp from internal source to external dest
# note: response packet will not be evaluated against incoming wan rules
pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19
pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19
pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161
pass out log quick on $lan proto tcp from 10.3.2.19 to any
#
# default block
#
block in log quick all
block out log quick all
Kian Mohageri wrote:
> Post your ruleset and people can help you. You're probably using
> nat/rdr/binat which create states.
>
> -Kian
>
> On 6/18/06, *Ronnel P. Maglasang* <rmaglasang@infoweapons.com
> <mailto:rmaglasang@infoweapons.com>> wrote:
>
> I have a minimum PF setup that sits in between my internal
> network(lan)
> and external network(wan). PF by design, bypasses ruleset
> evaluation(on
> external interfaces) for incoming packets on external interface that
> corresponds
> to an entry in the state table or a response to an internal generated
> packet.
> I observe this for TCP, UDP and also ICMP packets. Even if the
> matching rule
> in the internal interface do not have a "keep state", still the
> response
> packet
> bypasses the ruleset evaluation. Is there a way (force) to allow
> response
> packets to go thru ruleset evaluation? I just want to have full
> control of
> the incoming packets on the external interface wether they are
> response to
> a LAN traffic or not. I'll be implementing queueing soon and I
> think this
> PF behavior will affect badly. Has anyone experienced this?
>
> Thanks a lot.
> - sho
> _______________________________________________
> freebsd-pf@freebsd.org <mailto:freebsd-pf@freebsd.org> mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "
> freebsd-pf-unsubscribe@freebsd.org
> <mailto:freebsd-pf-unsubscribe@freebsd.org>"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44963DCA.8030800>