Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 Apr 2008 02:53:57 -0700 (PDT)
From:      Diego Salvador <salvador_d13@yahoo.com.ph>
To:        fox@verio.net
Cc:        freebsd-pf@freebsd.org
Subject:   Re: PF and State Table
Message-ID:  <684548.87924.qm@web57414.mail.re1.yahoo.com>
next in thread | raw e-mail | index | archive | help 

Sir David,

So you mean to say that it is really required for pf rules to specify TCP 
flags when used with keep state? Because this seems to relate my 
previous problem with PF firewall that will cause a problem in browsing
Google and Youtube web sites with Windows Vista nodes behind PF. Example 
rules for the node are

pass in on $ext_if inet from any to 192.168.100.1 
pass out on $ext_if inet from 192.168.100.1 to any keep state 

where 192.168.100.1 is a Windows Vista node behind a FreeBSD PF firewall. As you
can see the above rules, I didn't specify any specific protocols like TCP, UDP 
and ICMP so TCP here just use the "keep state" option without flags. Google and 
Youtube sites seem to not continue displaying web pages but I can see that the 
connection were established with the Windows Vista node with Google and Youtube 
sites.

Yes, that's what I'm looking for, the file where I can analyze PF state table 
in the source code.

Thanks,

Diego Salvador





>
> This is somewhat risky, because you really don't want to waste a state
> entry on something that's half-way in the middle of a TCP session
> (well, I suppose you could, but it seems insecure.

It's more than just insecure; it can cause breakage of TCP connections,
especially in a world where RFC 1323 is commonplace (i.e. today's world).

If PF starts tracking state from the middle of a connection, it has
missed out on discovering what TCP window scaling factors are in use. 
If there happens to be no scaling in use, it works fine, but if a scale
factor is being applied, PF will not track the state correctly, and the
connection will stall out.

> > What file in PF on FreeBSD kernel does state table structure is
> > located?
> 
> I don't understand this question.

I think the question is asking for details on how PF state is stored in
memory.  I found a very nice struct pf_state in /usr/include/net/pfvar.h.

       
---------------------------------
 Tired of spam? Yahoo! Mail has the best spam protection around
 http://ph.mail.yahoo.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?684548.87924.qm>