[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tagging & keep state



----- Original Message ----- 
From: "Henning Brauer" <[email protected]>
To: <[email protected]>
Sent: Tuesday, June 01, 2004 1:39 AM
Subject: Re: tagging & keep state
> no, only the first packet is (to be exact: only packets which do not
> match a state entry are tagged). This hasn't been a problem in practice
> (and is why the parser demands keep state on pass rules which do
> tagging);
Theres always annoying edge cases. The only problem I've seen with this
behaviour of tags is when you're trying to keep track of traceroutes through
the box. Say you have the following rules
block log all
pass in on $if1 tag THROUGH
pass out on $if2 tagged THROUGH
The first traceroute packet will come in and create state on the incoming
side, but because it's TTL will be one it wont go through the box, ie, it
wont create a state entry on the outgoing side. The second traceroute packet
with its TTL of two will then come in and match the state entry for the
incoming side. However because it was passed by the state entry and not
evaluated by the first pass rule it wont have the THROUGH tag attached to
it. It therefore wont match the second pass rule and the default block
policy will come into effect. The packet will be dropped and the traceroute
will be broken.
It makes sense if you know whats happening, but isn't immediately obvious.
This is explored further by
http://www.itee.uq.edu.au/~chrisp/OpenBSD/pf.c-tag_states.diff.
Regards,
DG