[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange ? keep state behaviour



On Thu, 06 Jan 2005 18:06:48 -0500, Jason Murray <[email protected]> wrote:
> I'm cc'ing the pf list so that the whole thread is archived.
> 
> I've included the whole pf.conf file. There isn't much more than what you
> already have.
> 
> Your suggestion does work, but it weakens the rule set. Instead of a
> default deny stance, I have a default deny inbound on the external interface.
> 
> It also doesn't provide any clue as to why "keep state" isn't carrying
> across the interfaces.
Because you block all traffic on $uat_if
> 
> Sven wrote:
> <snip> On Thu, 06 Jan 2005 16:48:50 -0500, Jason Murray
> <[email protected]> wrote:
> >
> > Without seeing the rest of your ruleset (hint) I can't say for sure
> > but does it work if you change
> >
> > block log all
> > to
> > block log all on $ext_if
> > ?
> 
> 
> # macros
> uat_if = "rl0" # UAT
> dev_if = "xl0" # DEV
> ext_if = "fxp0"
> 
> tcp_services = "{ 22 }"
> icmp_types = "echoreq"
> 
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> 
> marlin = "10.245.245.130"
> simba = "10.245.245.2"
> 
> # options
> set block-policy return
> set loginterface $ext_if
> set state-policy floating
> 
> # scrub
> scrub in all
> 
> # nat/rdr
> nat on $ext_if from $uat_if:network to any -> ($ext_if)
> nat on $ext_if from $dev_if:network to any -> ($ext_if)
> #rdr on $uat_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> #rdr on $dev_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $ext_if proto tcp from any to any port 80 -> $marlin
> rdr on $ext_if proto tcp from any to any port 443 -> $marlin
> 
> # filter rules
> 
> # Default policy is to block traffic if it is not specifically allowed
> block log all
> 
> antispoof quick for { lo0 $uat_if $dev_if }
> 
> # Traffic is allowed from Simba and Marlin
> pass in log quick on $dev_if from any to $marlin keep state
> 
> # Traffic is not allowed from Marlin to Simba
> block in log quick on $uat_if from any to $simba
> 
> # ssh vpn stuff
> # Allow inbound ssh from the Internet only to the external interface.
> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port { 22 } flags
> S/SA keep state
> # Allow traffic from the loopback to pass.
> pass log quick on lo0 all keep state
> 
> # Allow web traffic to the UAT (marlin) box.
> pass in log quick on $ext_if proto tcp from any to $marlin port { 80, 443 } flag
> s S/SA keep state
> # this rule should not be need since the keep state above should obviate it,
> # however I could not get the traffic to pass unless it was there.
> pass out log quick on $uat_if proto tcp from any to $marlin port {80, 443 } flag
> s S/SA keep state
> 
> # Allow ping from any box to pass.
> pass in log quick inet proto icmp all icmp-type $icmp_types keep state
I think you misunderstand keep state. From man pf.conf:
     If a packet matches a pass ... keep state rule, the filter creates a
     state for this connection and automatically lets pass all subsequent
     packets of that connection.
The emphasis is on subsequent. In your case the first packet, the one
that's supposed to create the state, is blocked on $uat_if because of
the "block log all" rule.
The rule you added is a good solution to your problem.
/Sven
-- 
Why are the pretty ones always insane?
-- J.G. Thirlwell