Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 5 Dec 2019 11:24:35 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf's states
Message-ID:  <20191205042435.GA19962@admin.sibptus.ru>
In-Reply-To: <20191204140000.GA96563@admin.sibptus.ru>
References:  <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <20191202134047.GA14183@admin.sibptus.ru> <0c189ef5-61a3-209b-84a1-9982fde94073@als.nnov.ru> <20191204140000.GA96563@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Victor Sudakov wrote:
> Max wrote:

[dd]

> >=20
> > Or you can create "pass out on $dmz..." rule.
>=20
> Yeah, that sounds great.  The ping responses begin to arrive at 192.168.1=
0.3!
> Victory!

You know what! If I create a "pass out on $dmz..." rule, no rules on
$inside are necessary any more. pfctl shows only *one* state, but this time
it is sufficient:

root@fw:~ # pfctl -vvs rules
No ALTQ support in kernel
ALTQ related functions disabled
@0 pass in on vtnet1 all flags S/SA keep state
  [ Evaluations: 15        Packets: 0         Bytes: 0           States: 0 =
    ]
  [ Inserted: uid 0 pid 1262 State Creations: 0     ]
@1 block return in on vtnet1 inet from any to 192.168.0.0/16
  [ Evaluations: 1         Packets: 1         Bytes: 84          States: 0 =
    ]
  [ Inserted: uid 0 pid 1262 State Creations: 0     ]
@2 pass out on vtnet1 all flags S/SA keep state
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0 =
    ]
  [ Inserted: uid 0 pid 1262 State Creations: 0     ]
root@fw:~ #

root@fw:~ # pfctl -vvs states
No ALTQ support in kernel
ALTQ related functions disabled
all icmp 192.168.10.3:63234 -> 172.16.1.10:63234       0:0
   age 00:00:11, expires in 00:00:09, 11:11 pkts, 924:924 bytes, rule 2
   id: 000000005de88142 creatorid: 68441fab
root@fw:~ #

Now 192.168.10.3 can ping 172.16.1.10 and receive echo replies, 172.16.1.10
cannot ping 192.168.10.3.

Don't you think there is something non-trivial or even incorrect about the
way states are evaluated?

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJd6IaDAAoJEA2k8lmbXsY0IYUIAIck74EMMDpv+vqoDpwxIE+I
exMcI6MJ/D6p12cTQp5Vdbjnrsp74XQrDRxPyymzP+p36g6BpU/iLqmDGM8aFPWf
gCDgBHLHlFxTJFhZ9WOXe5jGZdtL9iQu6lOcA6gI0tX5U0UaeHgmtuEla2P1Ro5N
IA6AT5qKbCIjevd2dS7lvztDv61KvAuSrEtPsk/CoklmQHvQcsTYvK0yywXnVLER
D3Q38daLFUV8JWQXbVJLVrhbNkkLe3Zm0/PuNtk+AzMIb8mqF3tRjZnYUPBV7abm
W7hOtLhu1cb5J5exrojY/BSCZq1dCMw1TymBTfX2wQmz8lCklVsNXf1HDYwz1jM=
=6yG1
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191205042435.GA19962>