Date: Tue, 3 Dec 2019 14:05:55 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203070555.GA38510@admin.sibptus.ru> In-Reply-To: <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Morgan Wesström wrote: > > - Your initial telnet SYN will create state on $inside through rule 3. > - There should be no state created on $dmz. > - Your SYN+ACK reply and further replies will be passed by pf's default > pass behaviour on $dmz. OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping. 1. Here is the picture without the "block..." rule: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms 64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms 64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms 64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms 64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 root@fw:~ # 2. Here is the picture with the "block..." rule uncommented: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes (no reply) root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 root@fw:~ # -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5glTAAoJEA2k8lmbXsY0X74H/3bufYFR6FbPbgY78XLPEk0h db5gS4HYwpdi/RTCBEqrBSgoPFfjpV+R//rfX1XSd3vEsiDU+SNEsWVm4j/cNZPU zj28nOirfSH6Hv5J6ELRakKBEj/RGLn/JPWLPoS7lUqX7WMpK5HV878IOLWtniOV YWDtOZQqESMm743kfc2jwQ7GqtGS7hC+o1mdGkhIebluCHIB1hyvaOllmGTgZ0zh TTz4GzZ4VSY+n6RUxW0G9TUqWVh/DAk5LsLXFxnh52ZzFNm6yH/sRHyIELgwiZdB nlWe8ru6xqmD/mE3dKmq7xaRbHnQd5WaXiWl/HgxI9KcZLPZlQcudBxM+JMMYAw= =BxR5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191203070555.GA38510>