Date: Sat, 05 Mar 2005 01:35:00 -0800 From: Ben Shelton <fbsd-pf@shelton.ca> To: freebsd-pf@freebsd.org Subject: Re: pf routing issue? Message-ID: <42297D44.2000008@shelton.ca> In-Reply-To: <4228D370.6020802@shelton.ca> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> <20050304180024.GD6369@insomnia.benzedrine.cx> <4228D370.6020802@shelton.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
After rewriting the rules so each one included an in on the outside interface and an out on the inside interface, everything worked great! I noticed a couple things: Apparently FreeBSD's altq doesn't support multi-level queues? I was a bit surprised at that - I followed some examples out there but it kept giving me an error until I just made each queue flat. Could be my mistake, either way it's not critical for my purposes. I'm observing the behavior of the state table counter and it's a bit funny. There are a minimum of about 50k state table entries, it climbs up to ~70k under current load then drops back down to 50-55k then climbs back up then drops again. Any idea why it might do that back down to nearly those exact numbers over and over in the last hour or two? It just seems a bit suspicious that there would always be at least 50k entries and never more than 70k (cieling is 262k in my setup - yes, this is high traffic). Later, Ben Ben Shelton wrote: > Daniel, > Thanks for the help. Pretty silly of me - I guess I assumed that it > allowed it right through the firewall, which would be pretty bad. Anyway > I've tested allowing through both sides at various times, just probably > not in the right combination. > I'll rewrite stuff and give it a shot tonight. > Thanks, > Ben > > Daniel Hartmeier wrote: > >> On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: >> >> >>> I'm actually trying to connect from an outside host through the >>> firewall to a host behind the firewall. I understood that the keep >>> state would handle the return packet, am I wrong here? >>> Also, at various times during the testing I had included a second rule: >>> pass out quick inet proto tcp from x.x.x.x port 80 to any keep state >>> as well. I can't guarantee that I did this in a completely orderly >>> fashion (it was the middle of the night), but this didn't work then. >>> I *think* I have the basics down here, but there probably is >>> something completely braindead I've done. >> >> >> >> When filtering on both interfaces, you have to create two state entries >> per forwarded connection. >> >> pass in on $if_towards_browser from any to $web_server port 80 \ >> keep state >> pass out on $if_towards_server from any to $web_server port 80 \ >> keep state >> >> This is just for the initial SYN packet, the state will allow further >> packets in the same direction (and replies in the reverse direction). >> >> Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be >> addressing replies, which isn't necessary. >> >> You need to allow the initial SYN in on the first interface, then out on >> the second one. A state entry does not grant passage _through_ the >> firewall, it only grants passage through one interface. >> >> Daniel >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42297D44.2000008>