Date: Mon, 19 Jun 2006 14:01:46 +0800 From: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: outgoing LAN traffic always in "keep state" Message-ID: <44963DCA.8030800@infoweapons.com> In-Reply-To: <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com> References: <44960900.4000406@infoweapons.com> <fee88ee40606182233v3b280dbbgfa57a30f311c4ef7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
i have nat function enabled, also tried enabling rdr and binat. are you saying the "keep state" functionality depends on these 3? here's my pf config file: # # Aliases # loopback = "{ lo0 }" lan = "{ em0 }" wan = "{ vr0 }" #statistics set loginterface em0 set loginterface vr0 #optimize packets set optimization normal #normalize outgoing packets IP ID field scrub log on vr0 all random-id fragment reassemble # # NAT on WAN interface (dont use IF alias for on the fly changes) # nat on $wan from 20.0.0.0/8 to any -> (vr0) # loopback pass in quick on lo0 all pass out quick on lo0 all # for ssh from 10.3.1.41 to 10.10.0.161 pass in log quick on $wan proto tcp from 10.3.1.41 to 10.10.0.161 port 22 pass out log quick on $wan proto tcp from 10.10.0.161 port 22 to 10.3.1.41 # tcp from internal source to external dest # note: response packet will not be evaluated against incoming wan rules pass in log quick on $lan proto tcp from 20.0.0.0/8 to 10.3.2.19 pass out log quick on $wan proto tcp from 10.10.0.161 to 10.3.2.19 pass in log quick on $wan proto tcp from 10.3.2.19 to 10.10.0.161 pass out log quick on $lan proto tcp from 10.3.2.19 to any # # default block # block in log quick all block out log quick all Kian Mohageri wrote: > Post your ruleset and people can help you. You're probably using > nat/rdr/binat which create states. > > -Kian > > On 6/18/06, *Ronnel P. Maglasang* <rmaglasang@infoweapons.com > <mailto:rmaglasang@infoweapons.com>> wrote: > > I have a minimum PF setup that sits in between my internal > network(lan) > and external network(wan). PF by design, bypasses ruleset > evaluation(on > external interfaces) for incoming packets on external interface that > corresponds > to an entry in the state table or a response to an internal generated > packet. > I observe this for TCP, UDP and also ICMP packets. Even if the > matching rule > in the internal interface do not have a "keep state", still the > response > packet > bypasses the ruleset evaluation. Is there a way (force) to allow > response > packets to go thru ruleset evaluation? I just want to have full > control of > the incoming packets on the external interface wether they are > response to > a LAN traffic or not. I'll be implementing queueing soon and I > think this > PF behavior will affect badly. Has anyone experienced this? > > Thanks a lot. > - sho > _______________________________________________ > freebsd-pf@freebsd.org <mailto:freebsd-pf@freebsd.org> mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to " > freebsd-pf-unsubscribe@freebsd.org > <mailto:freebsd-pf-unsubscribe@freebsd.org>" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44963DCA.8030800>