Date: Fri, 16 Jul 2010 21:58:31 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Mario Lobo <mlobo@digiart.art.br> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: pf behavior question Message-ID: <4C40C7F7.4080005@infracaninophile.co.uk> In-Reply-To: <201007161722.04902.mlobo@digiart.art.br> References: <201007161722.04902.mlobo@digiart.art.br>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEF9421326E85AAC63E7685E0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 16/07/2010 18:22:04, Mario Lobo wrote: > Hi; >=20 > System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 B= RT 2010=20 > i386 >=20 > The question is about how pf acts on an specific situation. >=20 > Supose I have the following rules: >=20 >=20 > pass in log inet proto tcp from $int_if to any port 8021 =20 > flags S/SA keep state tag test >=20 > rule 2 .... > rule 3 ..... > . > rule n .... >=20 > pass in log quick on $int_if inet proto tcp tagged test keep state queu= e (ftp) >=20 >=20 > Suppose the packet matches the first rule. >=20 > According to what I red about pf, it will keep parsing the rules (no "q= uick"=20 > on the first rule). When it reaches the last rule, the tag will match a= nd the=20 > packet will pass. >=20 > I don't believe I'll have 2 state table entries for the same packet aft= er the=20 > last rule matches. or will I?=20 >=20 > What is the proper way to use the tag created on the first rule, as far= as the =20 > state table is concerned? Correct, essentially. No, you won't end up with two entries in the state table from this -- it's only the last matching rule that causes the state table to be modified. In fact, you simply can't have two state table entries for the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple, because those six quantities are together used as the index into the state table. (Note: i/f is usually 'all' unless you've 'set state-policy if-bound' or equivalent, so generating state on one interface allows a packet to pass on any interface.) You don't get much from using tagging in the case you show -- as you've only got one rule to apply tags you might as well have let that been the place where you decided to pass or block the packet. Tagging is a lot more useful where you need several different rules to identify a particular class of traffic: you can apply the tag from several different matching rules, and then have just one rule to express your policy for that class of traffic. See the example in http://www.openbsd.org/faq/pf/tagging.html which gives a pretty good idea how it all works. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigEF9421326E85AAC63E7685E0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxAx/8ACgkQ8Mjk52CukIz1nQCeOyuoAL2rtwfa1Rhcp48IObv9 Mv4An0b/NmtZy44JM6qKzdfuBncH6Ib7 =v6Fc -----END PGP SIGNATURE----- --------------enigEF9421326E85AAC63E7685E0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C40C7F7.4080005>