Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 May 2005 22:53:14 +0200
From:      Karol Kwiatkowski <freebsd@orchid.homeunix.org>
To:        freebsd-questions@freebsd.org
Subject:   issue with pf.conf (was: Re: Clients receive only first 4k (issue with pf.conf) -- ignore others)
Message-ID:  <429B7D3A.7080205@orchid.homeunix.org>
In-Reply-To: <5843C5B4-AAA9-4A64-BEE2-9CB5E7476966@maxify.com>
References:  <199B60BD-1D20-492E-A278-21BD0CCF3475@maxify.com> <5843C5B4-AAA9-4A64-BEE2-9CB5E7476966@maxify.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Scott Stevenson wrote:
> 
> On May 30, 2005, at 9:23 AM, Scott Stevenson wrote:
> 
>> The problem is that if I use the version without "keep state," the 
>> machine can't send outbound mail, and I see messages like this in 
>> maillog:
>>
>>     May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery  639634:
>> deferral
>>     Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
>>
>> In fact, I tried to send this message to the list twice yesterday, 
>> but realized that mail packets were being filtered out. I looked at 
>> pflog0 while mail was being sent, but I wasn't able to find the 
>> bounced packets. Here's the relevant smtp line:
>>
>>     pass  in  quick on $ext_if proto { tcp, udp } from any to any 
>> port 25
>>
>>
>> I'm much more familiar with the firewalls bundled with various  linux
>> distributions, so I'm really stumped. I've read through  various
>> sections of the PF faq, but I haven't found an answer to this.
>> 
> 
> 
> Sorry to post *yet again* on this, but I think I finally figured out 
> what was wrong. I want to post a follow-up for the archives. The 
> solution to "partial page" Apache problem was to balance the "keep 
> state" directives.
> 
> 
> Originally, the httpd line looked like this:
> 
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  port 80
> 
> And the "out" line looked like this:
> 
>     pass  out on $ext_if proto { tcp, udp } all keep state
> 
> 
> The solution was to change the httpd line to this:
> 
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  port
> 80 keep state


That 'keep state' turns on stateful inspection. Here's quick info from
PF FAQ:

<<One of Packet Filter's important abilities is "keeping state" or
"stateful inspection". Stateful inspection refers to PF's ability to
track the state, or progress, of a network connection. By storing
information about each connection in a state table, PF is able to
quickly determine if a packet passing through the firewall belongs to
*an already established connection*. If it does, it is passed through
the firewall without going through ruleset evaluation.>>[1]

(emphasis mine)

That means, you'll need to set up rules for originating packets only
(the rest is handled automagically).


> Does it make sense that I'd need "keep state" for both in and out, or 
> is this a PF bug?

It depends on what you need. Does this machine run Apache only? Do you
want your Apache to make _outgoing_ connections? If not, you'll most
probably want to open incoming traffic only (keeping states):

pass  in  quick on $ext_if proto { tcp, udp } from any to any  port 80
keep state

and do _not_ let outgoing connections with "pass out ...".

But if you want to browse websites from that machine, you'll need the
"pass out ... port 80 keep state", too.


While we're here, do you really need UDP traffic to Apache server? You
may also want to look at TCP Flags in FAQ[2]. Here's simple config I
use for serving http:

======
set block-policy return
scrub in all
block in log all
block out log all
pass  in  quick on lo0
pass  out quick on lo0
pass  in  log quick on $ext_if inet proto tcp from any to $ext_if port
80 flags S/SA keep state
======



> Should I add it to these as well?
> 
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  port 25
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  port 53


Yes, if you want them visible from Internet.

Looking at the "pass out" rule it's not clear to me what is the
purpose of this machine. To receive more help please specify the setup
(is this machine directly connected to Internet? what services are
running? what do you want to pass inside/outside? pf.conf, etc.) And,
of course, looking at PF's FAQ (http://www.openbsd.org/faq/pf/) might
be a good idea. Hope that helps.


Regards,

Karol


[1] http://www.openbsd.org/faq/pf/filter.html#state
[2] http://www.openbsd.org/faq/pf/filter.html#tcpflags

-- 
Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?429B7D3A.7080205>