Date: Tue, 03 Dec 2019 09:51:30 +0100 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: pf's states Message-ID: <bf32ec63-0d03-43a6-a833-903fc3509e33@www.fastmail.com> In-Reply-To: <20191203070555.GA38510@admin.sibptus.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> <20191203070555.GA38510@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
TLDR add log to the rules, then start pflog,use wireshark or tcpdump on = the pflog interface and you can see exactly which rule is applied to tha= t packet. On Tue, 3 Dec 2019, at 08:05, Victor Sudakov wrote: > Morgan Wesstr=C3=B6m wrote: > >=20 > > - Your initial telnet SYN will create state on $inside through rule = 3. > > - There should be no state created on $dmz. > > - Your SYN+ACK reply and further replies will be passed by pf's defa= ult=20 > > pass behaviour on $dmz. >=20 > OK, let's forget about TCP flags entirely. Let's consider a simple ICM= P ping. >=20 > 1. Here is the picture without the "block..." rule: >=20 > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > 64 bytes from 172.16.1.10: icmp_seq=3D0 ttl=3D63 time=3D0.532 ms > 64 bytes from 172.16.1.10: icmp_seq=3D1 ttl=3D63 time=3D1.655 ms > 64 bytes from 172.16.1.10: icmp_seq=3D2 ttl=3D63 time=3D1.682 ms > 64 bytes from 172.16.1.10: icmp_seq=3D3 ttl=3D63 time=3D1.477 ms > 64 bytes from 172.16.1.10: icmp_seq=3D4 ttl=3D63 time=3D1.626 ms >=20 > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > pass in on vtnet2 all flags S/SA keep state >=20 > all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 > all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 > root@fw:~ # >=20 > 2. Here is the picture with the "block..." rule uncommented: >=20 > root@inside:~ # ping dmz.test > PING dmz.test (172.16.1.10): 56 data bytes > (no reply) >=20 > root@fw:~ # pfctl -s rules ; echo ; pfctl -s state > pass in on vtnet1 all flags S/SA keep state > block drop in on vtnet1 inet from any to 192.168.0.0/16 > pass in on vtnet2 all flags S/SA keep state >=20 > all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 > root@fw:~ # >=20 >=20 >=20 >=20 > --=20 > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ >=20 > Attachments: > * signature.asc --=20 =E2=80=94 Dave Cottlehuber +43 67 67 22 44 78 Managing Director Skunkwerks, GmbH http://skunkwerks.at/ ATU70126204 Firmenbuch 410811i
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bf32ec63-0d03-43a6-a833-903fc3509e33>