Date: Wed, 03 Sep 2008 08:42:52 -0400 From: Jon Radel <jon@radel.com> To: Guido van Rooij <guido@gvr.org> Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <48BE864C.6000006@radel.com> In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Guido van Rooij wrote:
>
> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>
> ep0: 1.2.3.4/24
> bge0: 10.0.0.1/24
>
> ruleset (made as simple as possible):
> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
> block drop out log quick on ep0 all
> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>
> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
> and passes because of rule 1.
> Then the packet goes out via bge0, is passed via rule 3 and a satte entry is
> created.
>
> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>
> Then the packet should be sent out via ep0, but it is blocked, as pflogd shows:
And does the problem go away when you put a "keep state" at the end of
line 1?
--Jon Radel
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
�� 100\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)00\mtv0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10
URadel10U*
Jon Thomas10UJon Thomas Radel1
0 *H
jon@radel.com0"0
*H
��0
�t,P
p#
٬q_2=L-^m
>z3ʟV![([ AoE}ϛ3/6?cWx(/)'$6sTl<*i'=uox
Mbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P; *Wg/jN*OVՠQMB(=:
�*0(0U
0
jon@radel.com0
U
0�0
*H
��h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)0?0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
*H
��0�Ħ<UsUNʙZ
hup
[v
:aQP
0cZ,p+Z?qV˯<
6$*+w=+>@dקe*TH<a@
dr`�00U
0�0CU
<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0
U
0)U
"0
0
10UPrivateLabel2-1380
*H
��HP
.
fgCL!6 -6/
P p<ab:~�
t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$
F]_eO1d0`0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0 +�0 *H
1
*H
0
*H
1
080903124252Z0# *H
1lBޅ0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0 +71x0v0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
1xv0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
*H
��7NJeJu[ދvjW]71!T2L]LC$
�'D`
q
콩ruo/<&ր/uدF<2EƜ[wa
Nx˸( {J(t�}3
]O@bkNG ;
OJ0(̆o?eIIH4{ES
=m]
1�eNY`ki]$pvK 1aި������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BE864C.6000006>