Date: Wed, 2 Apr 2008 11:40:37 -0500 From: Josh Paetzel <josh@tcbug.org> To: freebsd-questions@freebsd.org Cc: Erik Norgaard <norgaard@math.ku.dk> Subject: Re: packet filter does not keep state Message-ID: <200804021140.42822.josh@tcbug.org> In-Reply-To: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk> References: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1617093.Zk3dkWBuv2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 02 April 2008 09:03:06 am Erik Norgaard wrote: > Hi, > > I have a problem connecting from one local subnet to another > crossing an FBSD box with pf. Should be trivial, I have the > following ruleset: > > <snip> > # Local services accessible from wlan > block in log on $wlan_if inet from $wlan_net to <local_net> > pass in log quick on $wlan_if inet proto tcp from $wlan_net to \ > <local_net> port $local_tcp flags S/SA keep state > pass in log quick on $wlan_if inet proto udp from $wlan_net to \ > <local_net> port $local_udp keep state > pass in log quick on $wlan_if inet proto icmp from $wlan_net to \ > <local_net> icmp-type $local_icmp keep state > block in log quick on $wlan_if inet from $wlan_net to <local_net> > > block out log on $srv_if > pass out quick on $srv_if inet from $srv_ip to $srv_net keep state > pass out quick on $srv_if inet from $srv_ip to !<local_net> \ > keep state > block out log quick on $srv_if > </snip> > > <local_net> is a table of the directly attached local networks, I > try to connect from my wireless to a wired lan. > > But, tcpdump on pflog0 shows this: > > 000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 > > 192.168.0.254.80: [|tcp] > 000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 > > 192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20] > > Evidently, the packet is matched by the correct pass in rule, yet > no state is created and it is subsequently blocked by the block > out rule. > > I can add a pass out rule to get through, but that shouldn't be > the correct solution, why does pf not keep state? > > Thanks, Erik Is there an entry for the connection in the state table? And does PF compl= ain=20 about the header length when what it really means to say is there's no stat= e? =20 It seems to me that a packet with no header might have trouble with the sta= te=20 table even if there's an entry for it. I've had trouble wih PF acting in non-intuitive ways before, especially=20 concerning nat, binat, and rdr rules, which it's hard to tell if you're=20 dealing with due to the <snip>. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart1617093.Zk3dkWBuv2 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEABECAAYFAkfztwoACgkQJvkB8SevrsveMwCfWD3pu2CwwGNnxW/pYjYjGWye 4V8An2HYCeAxMpI/OGWFIYuhx55RKYEo =F9X7 -----END PGP SIGNATURE----- --nextPart1617093.Zk3dkWBuv2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804021140.42822.josh>