Date: Sun, 6 Jul 2014 23:12:22 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: "keep state" does not work Message-ID: <201407062312.32278.vegeta@tuxpowered.net> In-Reply-To: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com> References: <6851EFD94261DC4E81707E7F29930840B1A039E6@HIKAWSEX01.ad.harman.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart9897757.EjLNeSPrvJ Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dnia wtorek, 1 lipca 2014 o 14:40:47 Spenst, Aleksej napisa=C5=82(a): > Hi All, >=20 > I have a problem that when I use the rules with "keep state" my use case > does not work. When I use two rules "pass out" and "pass in" (instead of > one "pass out" rule with keep state) then everything works. >=20 > These rules work fine: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > pass in quick on wfd0 proto tcp from 172.16.222/24 port 7236 to (self) When displaying states, add -v. You will see which rule really created them. You should need only one of those rules. Judging from where port number is= =20 specified, I guess that it is (self) creating connections to hosts in=20 172.16.222/24. In that case you should only need "out" rule. Each new TCP=20 connection should then create a state and next packets in those connections= =20 should be passed by matching a state instead of being pushed down firewall = rule=20 list. One more thing, such passing rules in fact are created with requirement for= TCP=20 flags to be SYN or SYN+ACK. This means that when you first start pf, existi= ng=20 TCP sessions will not match those rules at all and will not create new stat= es. =20 > Now, instead of these two rules I write the following rule with "keep > state" and it does not work: >=20 > pass out quick on wfd0 proto tcp from (self) to 172.16.222/24 port 7236 > keep state =20 > The strange thing is that in this case I don't see any blocked packets in > logs! You have presented just one (or two) lines of firewall. If there is nothing= =20 else, there is no blocking. If there are more rules, presenting your whole= =20 firewall will greatly help to investigate the issue. > I also see that the state "self -> 172.16.222/24 port 7236" always > exists. Just a moment ago you've said that "it does not work". Now you say that sta= tes=20 are created. Those statements are quite opposing eachother. =20 > Does anyone have experience that "keep state" does not work as expected f= or > some reason? Broken tcp packets, asymetric routing (usually fixed with sloppy tracking),= =20 change of routing when pf is already running (fixed with sloppy + flags=3D= =3Dany=20 but this costs you security), finally some bugs in pf. But probably not in = this=20 case. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart9897757.EjLNeSPrvJ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEABECAAYFAlO5u7YACgkQ47RQr217OhTUZQCgsj2wiRaMDLW0vbonk7XA9v9f AVsAoPHh9fvz+mzZuC8s7gyVHJcnqcmf =xgcO -----END PGP SIGNATURE----- --nextPart9897757.EjLNeSPrvJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201407062312.32278.vegeta>