From owner-freebsd-pf@FreeBSD.ORG  Wed Sep  3 13:52:05 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9A3C2106566C
	for <freebsd-pf@freebsd.org>; Wed,  3 Sep 2008 13:52:05 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195])
	by mx1.freebsd.org (Postfix) with ESMTP id 5977E8FC13
	for <freebsd-pf@freebsd.org>; Wed,  3 Sep 2008 13:52:05 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id B2C9342D83E; Wed,  3 Sep 2008 15:52:04 +0200 (CEST)
Date: Wed, 3 Sep 2008 15:52:04 +0200
From: Guido van Rooij <guido@gvr.org>
To: Jon Radel <jon@radel.com>
Message-ID: <20080903135204.GA28111@gvr.gvr.org>
References: <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com>
	<20080903125407.GA27232@gvr.gvr.org> <48BE9038.8020303@radel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48BE9038.8020303@radel.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: keeping state on outgoing connections fails (?)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2008 13:52:05 -0000

On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote:
> > 
> > I did test the folowing ruleset:
> > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
> > block drop out log quick on ep0 all
> > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2
> > 
> > And there it works, but doesn't solve my problem unfrotunately.
> 
> And why doesn't it solve your problem?
> 
> You really are going to have to either keep state on ep0 or allow
> everything that's legal in "pass out on ep0" statements.
> 
> For example:
> 
> block all
> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2
> pass out on ep0 inet from 10.0.0.2 to 1.2.3.1
> pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
> 

And why is that so? This bascially rules out keep state on outgouing packets
on any router-type system. That seems like an unnecessary limitation.

I have not yet heart any reason why this is the case. pf was modelled
after ipf, so I wonder why this change in state handling was introduced.

-Guido