From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  2 14:20:58 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D4F2F106566B
	for <questions@freebsd.org>; Wed,  2 Apr 2008 14:20:58 +0000 (UTC)
	(envelope-from norgaard@math.ku.dk)
Received: from mail.math.ku.dk (imf.math.ku.dk [130.225.103.32])
	by mx1.freebsd.org (Postfix) with ESMTP id 97CF58FC18
	for <questions@freebsd.org>; Wed,  2 Apr 2008 14:20:58 +0000 (UTC)
	(envelope-from norgaard@math.ku.dk)
Received: from mail.math.ku.dk (localhost [127.0.0.1])
	by mail.math.ku.dk (Postfix) with ESMTP id 359194761E
	for <questions@freebsd.org>; Wed,  2 Apr 2008 16:03:07 +0200 (CEST)
Received: from shannon.math.ku.dk (shannon.math.ku.dk [130.225.103.12])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.math.ku.dk (Postfix) with ESMTP
	for <questions@freebsd.org>; Wed,  2 Apr 2008 16:03:07 +0200 (CEST)
Date: Wed, 2 Apr 2008 16:03:06 +0200 (CEST)
From: Erik Norgaard <norgaard@math.ku.dk>
To: questions@freebsd.org
Message-ID: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
User-Agent: Alpine 1.00 (LSU 882 2007-12-20)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: 
Subject: packet filter does not keep state
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2008 14:20:58 -0000

Hi,

I have a problem connecting from one local subnet to another 
crossing an FBSD box with pf. Should be trivial, I have the 
following ruleset:

<snip>
# Local services accessible from wlan
block in log on $wlan_if inet from $wlan_net to <local_net>
pass  in log quick on $wlan_if inet proto tcp  from $wlan_net to \
      <local_net> port $local_tcp flags S/SA keep state
pass  in log quick on $wlan_if inet proto udp  from $wlan_net to \
      <local_net> port $local_udp keep state
pass  in log quick on $wlan_if inet proto icmp from $wlan_net to \
      <local_net> icmp-type $local_icmp keep state
block in log quick on $wlan_if inet from $wlan_net to <local_net>

block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
      keep state
block out log quick on $srv_if
</snip>

<local_net> is a table of the directly attached local networks, I 
try to connect from my wireless to a wired lan.

But, tcpdump on pflog0 shows this:

000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 >
     192.168.0.254.80: [|tcp]
000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 >
     192.168.0.254.80:  tcp 44 [bad hdr length 0 - too short, < 20]

Evidently, the packet is matched by the correct pass in rule, yet 
no state is created and it is subsequently blocked by the block 
out rule.

I can add a pass out rule to get through, but that shouldn't be 
the correct solution, why does pf not keep state?

Thanks, Erik