Date: Wed, 3 Sep 2008 20:23:01 +0200 From: Guido van Rooij <guido@gvr.org> To: Peter Wullinger <peter.wullinger@googlemail.com> Cc: Jeremy Chadwick <koitsu@FreeBSD.org>, freebsd-pf@freebsd.org Subject: Re: keeping state on outgoing connections fails (?) Message-ID: <20080903182301.GA31792@gvr.gvr.org> In-Reply-To: <20080903161759.GA2761@kaliope.home> References: <20080903110943.GA25396@gvr.gvr.org> <20080903152632.GA89687@icarus.home.lan> <20080903161759.GA2761@kaliope.home>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 03, 2008 at 06:17:59PM +0200, Peter Wullinger wrote: > > At little bit of guessing led me to the (possible, I have not tested > this) culprit: Is your state-policy set to "floating" or "if-bound"? I tyried both, but there is no difference. > > >From a casual look at the log entries and traffic snapshots you have sent, > this seems to be pf working in "if-bound" mode. In this case, the > created state table entry matches incoming on bge0, but not on > outgoing on ep0 any more (packets pass through pf twice, as expected). > > This still maybe a bug, but it's common to rule out all possible > culprits before spreading blame. > True, but as state is created on the outbound interface for the first packet (bge), there is no corresponding incoming interface yet. At least with ipf, the return packet would first match the recorded outgoing interface (bge). Then it follows the gateway's internal routing. When it then goes out and passes through the firewall-code, it notices it does not yet know the interface (ep0) and records it in the state entry and passes it. This makes perfect sense: when the original packet would have arrived at a different interface than bge0, there must have been some kind of spoofing and should have been blocked in the first place. -Guido
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080903182301.GA31792>