Date: Wed, 2 Apr 2008 16:03:06 +0200 (CEST) From: Erik Norgaard <norgaard@math.ku.dk> To: questions@freebsd.org Subject: packet filter does not keep state Message-ID: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
next in thread | raw e-mail | index | archive | help
Hi,
I have a problem connecting from one local subnet to another
crossing an FBSD box with pf. Should be trivial, I have the
following ruleset:
<snip>
# Local services accessible from wlan
block in log on $wlan_if inet from $wlan_net to <local_net>
pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
<local_net> port $local_tcp flags S/SA keep state
pass in log quick on $wlan_if inet proto udp from $wlan_net to \
<local_net> port $local_udp keep state
pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
<local_net> icmp-type $local_icmp keep state
block in log quick on $wlan_if inet from $wlan_net to <local_net>
block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
keep state
block out log quick on $srv_if
</snip>
<local_net> is a table of the directly attached local networks, I
try to connect from my wireless to a wired lan.
But, tcpdump on pflog0 shows this:
000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 >
192.168.0.254.80: [|tcp]
000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 >
192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20]
Evidently, the packet is matched by the correct pass in rule, yet
no state is created and it is subsequently blocked by the block
out rule.
I can add a pass out rule to get through, but that shouldn't be
the correct solution, why does pf not keep state?
Thanks, Erik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LSU.1.00.0804021600290.1425>