Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 03 Sep 2008 10:13:08 -0400
From:      Jon Radel <jon@radel.com>
To:        Guido van Rooij <guido@gvr.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: keeping state on outgoing connections fails (?)
Message-ID:  <48BE9B74.90404@radel.com>
In-Reply-To: <20080903135204.GA28111@gvr.gvr.org>
References:  <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com> <20080903125407.GA27232@gvr.gvr.org> <48BE9038.8020303@radel.com> <20080903135204.GA28111@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 09:25:12AM -0400, Jon Radel wrote:
>>> I did test the folowing ruleset:
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2
>>>
>>> And there it works, but doesn't solve my problem unfrotunately.
>> And why doesn't it solve your problem?
>>
>> You really are going to have to either keep state on ep0 or allow
>> everything that's legal in "pass out on ep0" statements.
>>
>> For example:
>>
>> block all
>> pass in on ep0 inet from 1.2.3.1 to 10.0.0.2
>> pass out on ep0 inet from 10.0.0.2 to 1.2.3.1
>> pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>
> 
> And why is that so? This bascially rules out keep state on outgouing packets
> on any router-type system. That seems like an unnecessary limitation.

What?  If you want state, turn it on:

block all
pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state

should work fine also.  Other things being equal (in other words, your
mileage may vary....), that is both more secure and more efficient than
the first rule set I offered as an example.  I sent the first one only
because you insisted that your real rule set for 5 interfaces would not
allow you to maintain state on ep0 (or its equivalent).

You still haven't given us any hints as to why the solution which
maintains state on all interfaces is impossible for you.

> 
> I have not yet heart any reason why this is the case. pf was modelled
> after ipf, so I wonder why this change in state handling was introduced.

This is probably the wrong list if you want to have people justify
design decisions.

--Jon Radel

[-- Attachment #2 --]
0	*H
010	+0	*H
	100\mtv0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*H
	
jon@radel.com0"0
	*H
0
t,Pp#
٬q_2=L-^m>z3ʟV![([ AoE}ϛ3/6?񥃮cWx(/)'$6sTl<*i'=uoxMbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P;	*Wg/jN*OVՠQMB(=:
*0(0U0
jon@radel.com0U00
	*H
h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)00\mtv0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*H
	
jon@radel.com0"0
	*H
0
t,Pp#
٬q_2=L-^m>z3ʟV![([ AoE}ϛ3/6?񥃮cWx(/)'$6sTl<*i'=uoxMbt
rdtnxud1R6T>zU0FZ,vN9NP{>qE`^P;	*Wg/jN*OVՠQMB(=:
*0(0U0
jon@radel.com0U00
	*H
h!oܨ[А!fN#[Z
b$3?x&$~Ħ9}`MX[It}/bXZajgxɥ' 2NrtWAr sFި'^@mDVw\)0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO1d0`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0	+0	*H
	1	*H
0	*H
	1
080903141308Z0#	*H
	1.g콣*L'O*_0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAmtv0
	*H
d(qt}ZPn+qZ/|fَۛrqܢ
Fcx҄\| 9pvhǭNC7Y"SqbL|uIicݷfkhP6%c"/#kc{b].:-qC'%
֓k<
wבńcLIH`	v, ;iyԛfyal]xh`u8؞n902

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BE9B74.90404>