From owner-freebsd-pf@freebsd.org  Tue Dec  3 09:26:14 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6092E1CF27C
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue,  3 Dec 2019 09:26:14 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from keymaster.local (ns1.xn--wesstrm-f1a.se
 [IPv6:2a00:d880:5:1b9::8526])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "keymaster.pp.dyndns.biz",
 Issuer "keymaster.pp.dyndns.biz" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47RxS50sCPz48V5
 for <freebsd-pf@freebsd.org>; Tue,  3 Dec 2019 09:26:12 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from [192.168.69.69] ([192.168.69.69])
 by keymaster.local (8.15.2/8.15.2) with ESMTP id xB39Q9Pp001317
 for <freebsd-pf@freebsd.org>; Tue, 3 Dec 2019 10:26:10 +0100 (CET)
 (envelope-from freebsd-database@pp.dyndns.biz)
Subject: Re: pf's states
To: freebsd-pf@freebsd.org
References: <20191202025642.GA99174@admin.sibptus.ru>
 <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net>
 <20191202152543.GA16128@admin.sibptus.ru>
 <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz>
 <20191203034903.GA33853@admin.sibptus.ru>
From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz>
Message-ID: <aefb012b-970d-9c64-4f5d-31133b2b68ce@pp.dyndns.biz>
Date: Tue, 3 Dec 2019 10:26:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <20191203034903.GA33853@admin.sibptus.ru>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47RxS50sCPz48V5
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF
 policy when checking 2a00:d880:5:1b9::8526)
 smtp.mailfrom=freebsd-database@pp.dyndns.biz
X-Spamd-Result: default: False [1.47 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.74)[-0.736,0]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE(-0.03)[asn: 198203(-0.18), country: NL(0.02)];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1];
 RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.03)[0.033,0];
 HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[];
 HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 09:26:14 -0000

> Do you mean to say that a state checks not only address:port pairs, but
> also TCP flags? This is a new notion for me. What would be a "pass" rule
> to create a "catch all" state with no regard for TCP flags?

For TCP it checks the flags when the state is created. From man pf.conf

      flags <a> /<b> | /<b> | any
            This rule only applies to TCP packets that have the flags 
<a> set
            out of set <b>.  Flags not specified in <b> are ignored.  For
            stateful connections, the default is flags S/SA.  To 
indicate that
            flags should not be checked at all, specify flags any.  The 
flags
            are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and 
C(W)R.

> 
>> Afaik a pass rule only creates state on the interface it
>> monitors.
> 
> I'm afraid this is an incorrect assumption.
> 
>> I did not recreate your setup to check this though. But this
>> is what should happen:
>>
>> With rule 2 remarked:
>>
>> - Your initial telnet SYN will create state on $inside through rule 3.
>> - There should be no state created on $dmz.
> 
> I'm afraid this is an incorrect assumption. According to man pf.conf, by
> default "state-policy=floating" and state is not bound to interfaces.
> The output of "pfctl -s state" does not indicate any interfaces either,
> just protocols, addresses and ports.
> 

This is weird. My state tables clearly shows the interface name first on 
the line instead of "all" but I use state-policy if-bound. I have no 
experience with floating mode, thus my assumptions earlier. I apologize 
if I was wrong.

/Morgan