[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange ? keep state behaviour



I'm cc'ing the pf list so that the whole thread is archived.

I've included the whole pf.conf file. There isn't much more than what you already have.

Your suggestion does work, but it weakens the rule set. Instead of a default deny stance, I have a default deny inbound on the external interface.

It also doesn't provide any clue as to why "keep state" isn't carrying across the interfaces.

Sven wrote:
<snip> On Thu, 06 Jan 2005 16:48:50 -0500, Jason Murray <[email protected]> wrote:

Without seeing the rest of your ruleset (hint) I can't say for sure but does it work if you change

block log all
to
block log all on $ext_if
?
# macros
uat_if = "rl0" # UAT
dev_if = "xl0" # DEV
ext_if = "fxp0"
tcp_services = "{ 22 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
marlin = "10.245.245.130"
simba = "10.245.245.2"
# options
set block-policy return
set loginterface $ext_if
set state-policy floating
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $uat_if:network to any -> ($ext_if)
nat on $ext_if from $dev_if:network to any -> ($ext_if)
#rdr on $uat_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $dev_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $marlin
rdr on $ext_if proto tcp from any to any port 443 -> $marlin
# filter rules
# Default policy is to block traffic if it is not specifically allowed
block log all
antispoof quick for { lo0 $uat_if $dev_if }
# Traffic is allowed from Simba and Marlin
pass in log quick on $dev_if from any to $marlin keep state
# Traffic is not allowed from Marlin to Simba
block in log quick on $uat_if from any to $simba
# ssh vpn stuff
# Allow inbound ssh from the Internet only to the external interface.
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port { 22 } flags
S/SA keep state
# Allow traffic from the loopback to pass.
pass log quick on lo0 all keep state
# Allow web traffic to the UAT (marlin) box.
pass in log quick on $ext_if proto tcp from any to $marlin port { 80, 443 } flag
s S/SA keep state
# this rule should not be need since the keep state above should obviate it,
# however I could not get the traffic to pass unless it was there.
pass out log quick on $uat_if proto tcp from any to $marlin port {80, 443 } flag
s S/SA keep state
# Allow ping from any box to pass.
pass in log quick inet proto icmp all icmp-type $icmp_types keep state