Date: Fri, 7 Apr 2017 09:47:58 +0200 From: Nils Beyer <nbe@renzel.net> To: freebsd-net@freebsd.org Subject: Re: [PF] Symmetric routing enforcement, how-to without using "reply-to"... Message-ID: <da74ee12-6d70-37a8-0e5a-d3cd4cf39ddd@renzel.net> In-Reply-To: <CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC%2B338=bvQ@mail.gmail.com> References: <4956261.2DO1X0b8Gd@asbach.renzel.net> <CADDnucn51R2vzyPGKOjiAzj5kjuCZ3gRPCkwFn5RoC%2B338=bvQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/07/2017 03:40, Takahiro Kurosawa wrote:
> What if you change the line:
> pass in inet proto tcp to port { ssh }
> to:
> pass in inet proto tcp to port { ssh } no state
close, but I had to use the "no state" on the "pass out" rules as well.
Now it looks like that:
-----------------------------------------------------------------------
scrub in all
set skip on lo0
pass in quick inet proto icmp from any to self no state
pass in quick inet proto tcp from any to self port { ssh } no state
block in quick log to self
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any no state
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any no state
pass out quick from self
-----------------------------------------------------------------------
> Without "no state", the incoming ssh packet generates a pf state entry,
> then the response packets are probably passed by the state instead of
> using "route-to" rules.
that makes absolute sense...
Regards,
Nils
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?da74ee12-6d70-37a8-0e5a-d3cd4cf39ddd>