From owner-freebsd-questions@FreeBSD.ORG Wed Apr 2 16:40:56 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4F66106564A for ; Wed, 2 Apr 2008 16:40:56 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from cenn-smtp.mc.mpls.visi.com (cenn.mc.mpls.visi.com [208.42.156.9]) by mx1.freebsd.org (Postfix) with ESMTP id A2D598FC21 for ; Wed, 2 Apr 2008 16:40:56 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by cenn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 7AED081F0; Wed, 2 Apr 2008 11:40:55 -0500 (CDT) Received: from 99-203-19-122.area2.spcsdns.net (99-203-19-122.area2.spcsdns.net [99.203.19.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTPSA id 96EB26D9CB8; Wed, 2 Apr 2008 11:40:53 -0500 (CDT) From: Josh Paetzel To: freebsd-questions@freebsd.org Date: Wed, 2 Apr 2008 11:40:37 -0500 User-Agent: KMail/1.9.7 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1617093.Zk3dkWBuv2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200804021140.42822.josh@tcbug.org> Cc: Erik Norgaard Subject: Re: packet filter does not keep state X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 16:40:56 -0000 --nextPart1617093.Zk3dkWBuv2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 02 April 2008 09:03:06 am Erik Norgaard wrote: > Hi, > > I have a problem connecting from one local subnet to another > crossing an FBSD box with pf. Should be trivial, I have the > following ruleset: > > > # Local services accessible from wlan > block in log on $wlan_if inet from $wlan_net to > pass in log quick on $wlan_if inet proto tcp from $wlan_net to \ > port $local_tcp flags S/SA keep state > pass in log quick on $wlan_if inet proto udp from $wlan_net to \ > port $local_udp keep state > pass in log quick on $wlan_if inet proto icmp from $wlan_net to \ > icmp-type $local_icmp keep state > block in log quick on $wlan_if inet from $wlan_net to > > block out log on $srv_if > pass out quick on $srv_if inet from $srv_ip to $srv_net keep state > pass out quick on $srv_if inet from $srv_ip to ! \ > keep state > block out log quick on $srv_if > > > is a table of the directly attached local networks, I > try to connect from my wireless to a wired lan. > > But, tcpdump on pflog0 shows this: > > 000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 > > 192.168.0.254.80: [|tcp] > 000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 > > 192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20] > > Evidently, the packet is matched by the correct pass in rule, yet > no state is created and it is subsequently blocked by the block > out rule. > > I can add a pass out rule to get through, but that shouldn't be > the correct solution, why does pf not keep state? > > Thanks, Erik Is there an entry for the connection in the state table? And does PF compl= ain=20 about the header length when what it really means to say is there's no stat= e? =20 It seems to me that a packet with no header might have trouble with the sta= te=20 table even if there's an entry for it. I've had trouble wih PF acting in non-intuitive ways before, especially=20 concerning nat, binat, and rdr rules, which it's hard to tell if you're=20 dealing with due to the . =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart1617093.Zk3dkWBuv2 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEABECAAYFAkfztwoACgkQJvkB8SevrsveMwCfWD3pu2CwwGNnxW/pYjYjGWye 4V8An2HYCeAxMpI/OGWFIYuhx55RKYEo =F9X7 -----END PGP SIGNATURE----- --nextPart1617093.Zk3dkWBuv2--