From owner-freebsd-pf@FreeBSD.ORG Wed Sep 3 15:26:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BC6D10656A0 for ; Wed, 3 Sep 2008 15:26:34 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 6EBA38FC1A for ; Wed, 3 Sep 2008 15:26:34 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by QMTA02.emeryville.ca.mail.comcast.net with comcast id AB6N1a00B1GXsucA2FSaJ6; Wed, 03 Sep 2008 15:26:34 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA07.emeryville.ca.mail.comcast.net with comcast id AFSY1a00M4v8bD78TFSYAG; Wed, 03 Sep 2008 15:26:33 +0000 X-Authority-Analysis: v=1.0 c=1 a=hYA3pLoxE-MA:10 a=dPb6Kvwrd20A:10 a=QycZ5dHgAAAA:8 a=9WvCueDUggQvahGai5MA:9 a=tbCxmJ9JOCzs2GnbCSsA:7 a=7rPECo8Jk5cEcmYwOWBQ6mgAabYA:4 a=5Fr7JOagwDgA:10 a=oIWDkQLH8BMA:10 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 6039A17B822; Wed, 3 Sep 2008 08:26:32 -0700 (PDT) Date: Wed, 3 Sep 2008 08:26:32 -0700 From: Jeremy Chadwick To: Guido van Rooij Message-ID: <20080903152632.GA89687@icarus.home.lan> References: <20080903110943.GA25396@gvr.gvr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 15:26:34 -0000 On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote: > > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > ep0: 1.2.3.4/24 > bge0: 10.0.0.1/24 > > ruleset (made as simple as possible): > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > block drop out log quick on ep0 all > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state First and foremost, I'm sorry I didn't reply to this sooner -- I've been fighting with Comcast for the past ~9 hours over a "single report of me sending spam" resulting in them blocking my ability to send mail via smtp.comcast.net:25... Yeah... anyway... I'm a bit confused by these rules and your network configuration. Rule #3 is keeping state incorrectly. You need to keep state only on the initial TCP SYN. You are using RELENG_6, which means you need to specify "flags S/SA", otherwise "keep state" is going to match against all TCP packets regardless of bits (FIN, ACK, PSH, etc.), which is probably not what you want. This may be the source of your problem. Rule #1 allows any packet with a source address of 1.2.3.1, arriving on the ep0 interface, destined to 10.0.0.2. How exactly are packets arriving on ep0 (which is bound to 1.2.3.0/24) with a destination of 10.0.0.2 in the first place? That seems strange. Is your gateway on your network blindly forwarding packets between networks or something? Or is this FreeBSD box acting *as* a gateway? Rule #3 allows any outbound packet from 1.2.3.1 (which isn't even an IP address bound to bge0), arriving on the bge0 interface, destined to 1.0.0.2. I wonder if this rule is backwards (IPs in from/to should be reversed). If none of this helps, others will have to assist, as I'm out of ideas other than the above. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |