Date: Wed, 3 Sep 2008 08:26:32 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Guido van Rooij <guido@gvr.org> Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <20080903152632.GA89687@icarus.home.lan> In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote: > > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > ep0: 1.2.3.4/24 > bge0: 10.0.0.1/24 > > ruleset (made as simple as possible): > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > block drop out log quick on ep0 all > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state First and foremost, I'm sorry I didn't reply to this sooner -- I've been fighting with Comcast for the past ~9 hours over a "single report of me sending spam" resulting in them blocking my ability to send mail via smtp.comcast.net:25... Yeah... anyway... I'm a bit confused by these rules and your network configuration. Rule #3 is keeping state incorrectly. You need to keep state only on the initial TCP SYN. You are using RELENG_6, which means you need to specify "flags S/SA", otherwise "keep state" is going to match against all TCP packets regardless of bits (FIN, ACK, PSH, etc.), which is probably not what you want. This may be the source of your problem. Rule #1 allows any packet with a source address of 1.2.3.1, arriving on the ep0 interface, destined to 10.0.0.2. How exactly are packets arriving on ep0 (which is bound to 1.2.3.0/24) with a destination of 10.0.0.2 in the first place? That seems strange. Is your gateway on your network blindly forwarding packets between networks or something? Or is this FreeBSD box acting *as* a gateway? Rule #3 allows any outbound packet from 1.2.3.1 (which isn't even an IP address bound to bge0), arriving on the bge0 interface, destined to 1.0.0.2. I wonder if this rule is backwards (IPs in from/to should be reversed). If none of this helps, others will have to assist, as I'm out of ideas other than the above. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903152632.GA89687>