Date: Wed, 03 Sep 2008 08:42:52 -0400 From: Jon Radel <jon@radel.com> To: Guido van Rooij <guido@gvr.org> Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <48BE864C.6000006@radel.com> In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms080208090108080008010202 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Guido van Rooij wrote: > > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > ep0: 1.2.3.4/24 > bge0: 10.0.0.1/24 > > ruleset (made as simple as possible): > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > block drop out log quick on ep0 all > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state > > When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 > and passes because of rule 1. > Then the packet goes out via bge0, is passed via rule 3 and a satte entry is > created. > > The return SYN/ACK comes in via bge0 and passes because of the state entry. > > Then the packet should be sent out via ep0, but it is blocked, as pflogd shows: And does the problem go away when you put a "keep state" at the end of line 1? --Jon Radel --------------ms080208090108080008010202 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJMTCC AvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTkyMVoX DTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9tYXMx GTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRlbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx87Rf 0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF9qJ9 z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGbhHVv eAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw1ujk Rlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezri+BN kgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRlbC5j b20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQIWYb 5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpqZ3iA /PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQpoZSZ jzCCAvMwggJcoAMCAQICEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEFBQAwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDMyNDE2NTky MVoXDTA5MDMyNDE2NTkyMVowXjEOMAwGA1UEBBMFUmFkZWwxEzARBgNVBCoTCkpvbiBUaG9t YXMxGTAXBgNVBAMTEEpvbiBUaG9tYXMgUmFkZWwxHDAaBgkqhkiG9w0BCQEWDWpvbkByYWRl bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPdCxQufreHHDAI9YN2axx 87Rf0TK1PYFMlJHi4y1ebdAMPqR6M44bz+3m8YnKn1bmIf7dWyisWyAIQYCOhW/2r66o4MdF 9qJ9z5uhMy+28zaJP/Glg64C3WPM0VfveCgvu+ApEyf2JDbjc/hUomw8KpppgOcn1wX6PZGb hHVveAvDTWJ0ugqo08Ny6GR0bsGvePmxdWSQq+0aGTHqA1I2EozJBZ8W5xlUtKe22j56i1Uw 1ujkRlosdu2PTs8QOY1OUHuLPnEV9EWtYF7g6bXDUDsJxypXZy9qTipPplYXjdWgkLVRvezr i+BNkgin8UKhKLQ99vS25zrMFKu80g31AgMBAAGjKjAoMBgGA1UdEQQRMA+BDWpvbkByYWRl bC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAR4u9o4CFvztyo0sZb3tCQ IWYb5U4jW9da3goVwWIkMz+qeCb2kiTQfsSmOdF9YJ8VTRdYW0l0fQbqL5JikVhaYeX85cpq Z3iA/PPJpfPtJw8g5jJOAROVAvxydMZXQYxyIBMV4HNG3qir44YnyfmJXkBtRFYWdxBc7bQp oZSZjzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbZOR8X/3dLH0sJ+2vLUPdjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wODA5MDMxMjQyNTJaMCMGCSqGSIb3DQEJBDEWBBQPhmya4hbjEBOUnI21AUKg9ozehTBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1 D3YwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEG2TkfF/93Sx9LCftry1D3YwDQYJKoZIhvcNAQEBBQAEggEAm8Q3 f04CyeviSp3JZchKdb1byxHei3ZqkFfE3c5dojegAxkxmCFU6zJMt6eu7l3YTEMk4Aq2woet zACPJ/L6RILlYKPRAo70CsRx7x7svanQ6HLEdbwZb8L6L7egPKImh8Xk1oAvDnXV2K8V5EY8 gzKd3cDg0P5FxpztW6SJd2ELTnjLuL6HKBfumtIJqHtKKHQAvLmVwP19Mxxdk6tPEUDgYpv4 a8ZO3/JHCTscCOjw6k9K+DAop/MO2P3Mht5v4NU/imVJ5UkBSKYXNAd7RVMdPZFtXRzCD6YB sjGwsIHpAGUFTlm7qmDBp2tpgV2jJHB2muBLoragiR8x6WHeqAAAAAAAAA== --------------ms080208090108080008010202--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BE864C.6000006>