From owner-freebsd-questions@FreeBSD.ORG Thu Apr 3 12:35:38 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 385261065670 for ; Thu, 3 Apr 2008 12:35:38 +0000 (UTC) (envelope-from ds@ongame.com.br) Received: from data1.poli.usp.br (data1.poli.usp.br [143.107.106.107]) by mx1.freebsd.org (Postfix) with ESMTP id C19728FC16 for ; Thu, 3 Apr 2008 12:35:37 +0000 (UTC) (envelope-from ds@ongame.com.br) Received: from [192.168.1.65] ([189.78.99.20]) by data1.poli.usp.br with Microsoft SMTPSVC(6.0.3790.1830); Thu, 3 Apr 2008 09:18:27 -0300 Message-ID: <47F4CB20.3090903@ongame.com.br> Date: Thu, 03 Apr 2008 09:18:40 -0300 From: Vinicius Vianna User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Erik Norgaard References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Apr 2008 12:18:27.0694 (UTC) FILETIME=[D25310E0:01C89584] Cc: questions@freebsd.org Subject: Re: packet filter does not keep state X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 12:35:38 -0000 Hi Erik, Remember that any quick rule will apply on it and pf will not search anymore, maybe you should clean up your pf.conf a little bit. Maybe removing all quick rules you get what you want ;) ----------------------------- block in log on $wlan_if inet from $wlan_net to pass in log quick on $wlan_if inet proto tcp from $wlan_net to \ port $local_tcp flags S/SA keep state pass in log quick on $wlan_if inet proto udp from $wlan_net to \ port $local_udp keep state pass in log quick on $wlan_if inet proto icmp from $wlan_net to \ icmp-type $local_icmp keep state # REMOVE THIS # block in log quick on $wlan_if inet from $wlan_net to block out log on $srv_if pass out quick on $srv_if inet from $srv_ip to $srv_net keep state pass out quick on $srv_if inet from $srv_ip to ! \ keep state # REMOVE THIS # here you are saying to pf block this connection, no matter all pass rules above # block out log quick on $srv_if -------------------------------- Tell me if this helps you, Regards, Erik Norgaard wrote: > Hi, > > I have a problem connecting from one local subnet to another crossing > an FBSD box with pf. Should be trivial, I have the following ruleset: > > > # Local services accessible from wlan > block in log on $wlan_if inet from $wlan_net to > pass in log quick on $wlan_if inet proto tcp from $wlan_net to \ > port $local_tcp flags S/SA keep state > pass in log quick on $wlan_if inet proto udp from $wlan_net to \ > port $local_udp keep state > pass in log quick on $wlan_if inet proto icmp from $wlan_net to \ > icmp-type $local_icmp keep state > block in log quick on $wlan_if inet from $wlan_net to > > block out log on $srv_if > pass out quick on $srv_if inet from $srv_ip to $srv_net keep state > pass out quick on $srv_if inet from $srv_ip to ! \ > keep state > block out log quick on $srv_if > > > is a table of the directly attached local networks, I try > to connect from my wireless to a wired lan. > > But, tcpdump on pflog0 shows this: > > 000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 > > 192.168.0.254.80: [|tcp] > 000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 > > 192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20] > > Evidently, the packet is matched by the correct pass in rule, yet no > state is created and it is subsequently blocked by the block out rule. > > I can add a pass out rule to get through, but that shouldn't be the > correct solution, why does pf not keep state? > > Thanks, Erik > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >