[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange ? keep state behaviour



Hello new to the list, but not exactly new to pf.

I've got a 3 interface firewall and I'm seeing what I would call strange behaviour. Here is the scenario. I want to allow http in from the Internet to a web server on an isolated segment. I have a rdr rule set up and it works just fine (traffic flows when no filtering is being done).

If I have a rule set like the following:

block log all
antispoof quick for { lo0 $uat_if $dev_if }
# Allow web traffic to the UAT (marlin) box.
pass in log quick on $ext_if proto tcp from any to $marlin port { 80, 443 } flags S/SA keep state


Traffic does not flow. I get the following in the logs:

Jan 06 12:11:56.324068 rule 13/0(match): pass in on ext_if: out.side.add.ress.61005 > in.side.web.server.80: S 3708921981:3708921981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:11:56.324104 rule 0/0(match): block out on uat_if: out.side.add.ress.61005 > in.side.web.server.80: S 3708921981:3708921981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:11:59.353276 rule 0/0(match): block out on uat_if: out.side.add.ress.61005 > in.side.web.server.80: S 3708921981:3708921981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:12:05.361189 rule 0/0(match): block out on uat_if: out.side.add.ress.61005 > in.side.web.server.80: S 3708921981:3708921981(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)


This does not make any sense to me. AFAIK (from reading man pf.conf numerous times) the "keep state" should allow the traffic to pass once the "pass in on $ext_if..." rule is matched.

Regardless, it does not work. To get it to work I have to add the following:

pass out log quick on $uat_if proto tcp from any to $marlin port {80, 443 } flags S/SA keep state

Then my logs show:

Jan 06 12:19:32.244139 rule 13/0(match): pass in on ext_if: out.side.add.ress.56709 > in.side.web.server.80: S 457881634:457881634(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:19:32.244176 rule 15/0(match): pass out on uat_if: out.side.add.ress.56709 > in.side.web.server.80: S 457881634:457881634(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:19:32.567937 rule 13/0(match): pass in on ext_if: out.side.add.ress.63950 > in.side.web.server.80: S 3954645361:3954645361(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Jan 06 12:19:32.567955 rule 15/0(match): pass out on uat_if: out.side.add.ress.63950 > in.side.web.server.80: S 3954645361:3954645361(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)


And it works and all is better. Except for the fact that this is not the behaviour I expect from my reading of the docs.

Can anyone shed any light on this for me?
Thanks in advance.