Date: Wed, 3 Sep 2008 20:25:11 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Guido van Rooij <guido@gvr.org> Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <200809032025.11619.max@love2party.net> In-Reply-To: <20080903110943.GA25396@gvr.gvr.org> References: <20080903110943.GA25396@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 03 September 2008 13:09:43 Guido van Rooij wrote: > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. > > ep0: 1.2.3.4/24 > bge0: 10.0.0.1/24 > > ruleset (made as simple as possible): > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 > block drop out log quick on ep0 all > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state > > When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 > and passes because of rule 1. > Then the packet goes out via bge0, is passed via rule 3 and a satte entry > is created. > > The return SYN/ACK comes in via bge0 and passes because of the state entry. > > Then the packet should be sent out via ep0, but it is blocked, as pflogd > shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 > There is no state entry and no rule that would allow traffic to be sent out via ep0. You either have to create state on ep0 or you must allow traffic on ep0 in both directions. I think the ruleset you are looking for is something along the lines of: block drop all pass in on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA pass out on bge0 inet from 1.2.3.1 to 10.0.0.2 keep state flags S/SA -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809032025.11619.max>