From owner-freebsd-pf@freebsd.org Tue Dec 3 08:51:53 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B4C581CE0CE for ; Tue, 3 Dec 2019 08:51:53 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47RwhS4Sbbz46Nf for ; Tue, 3 Dec 2019 08:51:52 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id C3A8B22601 for ; Tue, 3 Dec 2019 03:51:51 -0500 (EST) Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Tue, 03 Dec 2019 03:51:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=nazWw JsZduHtjjo1WhtMi0pNY6IaI0tX2lm9M4hicVk=; b=APtPPHc6kXJq1GmwdWszl xN7MosfCzLL3BPPH2wNOhyLnkHRtc8ZPrWqNYSh0EKtkW7k+bFqCEuvcUQJ3rUI4 H4ZqB7bDzRKip6kYGDbQUHcu+vCvyfDyN47zW7T+KdXgIWe1mddXSr5Q7B156WXW vVQN66Mz+3RPUQQYVc0vJ0sQHJpVmEbOGWr7qPfBKod0a1vBfYXalb53mrodGZYB wNl8ZTnrUUx8sFwpG/sa5pNwDPkgjD+SJ5+Z1v7YQ+fl4w6tEGCB64Xz2m5fSNcR D6rSS0ZChSpbnpViaieenm20qC3cMZjN+0UWwX5VDQGUsM1ktDarsOMVULFNedrc Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=nazWwJsZduHtjjo1WhtMi0pNY6IaI0tX2lm9M4hic Vk=; b=Ytvwqija9p242dV8kY7Nx4Ji9V0AQCxvMBhxn7o+uw+MapHuNJuca9Ncv EsrSqZ1+vAryhHqP30ZGTWmmvMHTSR3ln2iWIfzhQe0GmYQSOz/p20Hc+/VrDYlk ilEd7BCn8y60+I7oahXCDs7Sr91dkZA9cqVETUUZDMXTsJA8yxvJVeMDGwJvTDIV 85AQwIe9phE35zqavgZDgVBwIk9uzDXnmitkNhBlQrdgFZ0TYFHTKp3ziDdW4M9J Ia/evPrhPm9MMlF+io7jBlifXqw8QXADyxfi6OrYy5KBVUo+VFR2fL2bNwjqCumr JaC25LOcml0aIzL+uMPAHQWLeYXlQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudejiedguddvudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgse htqhertderreejnecuhfhrohhmpedfffgrvhgvucevohhtthhlvghhuhgsvghrfdcuoegu tghhsehskhhunhhkfigvrhhkshdrrghtqeenucffohhmrghinhepvhgrshdrthhomhhskh drrhhupdhskhhunhhkfigvrhhkshdrrghtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegu tghhsehskhhunhhkfigvrhhkshdrrghtnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 796A31400A2; Tue, 3 Dec 2019 03:51:51 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-612-g13027cc-fmstable-20191203v1 Mime-Version: 1.0 Message-Id: In-Reply-To: <20191203070555.GA38510@admin.sibptus.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <20191203070555.GA38510@admin.sibptus.ru> Date: Tue, 03 Dec 2019 09:51:30 +0100 From: "Dave Cottlehuber" To: freebsd-pf Subject: Re: pf's states Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 47RwhS4Sbbz46Nf X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm1 header.b=APtPPHc6; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=Ytvwqija; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.25 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-5.07 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm1,messagingengine.com:s=fm1]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[25.4.111.66.rep.mailspike.net : 127.0.0.18]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[skunkwerks.at]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-3.48)[ip: (-9.78), ipnet: 66.111.4.0/24(-4.87), asn: 11403(-2.68), country: US(-0.05)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[25.4.111.66.list.dnswl.org : 127.0.5.1]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Dec 2019 08:51:53 -0000 TLDR add log to the rules, then start pflog,use wireshark or tcpdump on = the pflog interface and you can see exactly which rule is applied to tha= t packet. On Tue, 3 Dec 2019, at 08:05, Victor Sudakov wrote: > Morgan Wesstr=C3=B6m wrote: > >=20 > > - Your initial telnet SYN will create state on $inside through rule = 3. > > - There should be no state created on $dmz. > > - Your SYN+ACK reply and further replies will be passed by pf's defa= ult=20 > > pass behaviour on $dmz. >=20 > OK, let's forget about TCP flags entirely. Let's consider a simple ICM= P ping. >=20 > 1. Here is the picture without the "block..." rule: >=20 > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > 64 bytes from 172.16.1.10: icmp_seq=3D0 ttl=3D63 time=3D0.532 ms > 64 bytes from 172.16.1.10: icmp_seq=3D1 ttl=3D63 time=3D1.655 ms > 64 bytes from 172.16.1.10: icmp_seq=3D2 ttl=3D63 time=3D1.682 ms > 64 bytes from 172.16.1.10: icmp_seq=3D3 ttl=3D63 time=3D1.477 ms > 64 bytes from 172.16.1.10: icmp_seq=3D4 ttl=3D63 time=3D1.626 ms >=20 > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > pass in on vtnet2 all flags S/SA keep state >=20 > all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 > all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 > root@fw:~ # >=20 > 2. Here is the picture with the "block..." rule uncommented: >=20 > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > (no reply) >=20 > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > block drop in on vtnet1 inet from any to 192.168.0.0/16 > pass in on vtnet2 all flags S/SA keep state >=20 > all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 > root@fw:~ # >=20 >=20 >=20 >=20 > --=20 > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ >=20 > Attachments: > * signature.asc --=20 =E2=80=94 Dave Cottlehuber +43 67 67 22 44 78 Managing Director Skunkwerks, GmbH http://skunkwerks.at/ ATU70126204 Firmenbuch 410811i