Date: Thu, 5 Dec 2019 11:24:35 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191205042435.GA19962@admin.sibptus.ru> In-Reply-To: <20191204140000.GA96563@admin.sibptus.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <20191202134047.GA14183@admin.sibptus.ru> <0c189ef5-61a3-209b-84a1-9982fde94073@als.nnov.ru> <20191204140000.GA96563@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Victor Sudakov wrote: > Max wrote: [dd] > >=20 > > Or you can create "pass out on $dmz..." rule. >=20 > Yeah, that sounds great. The ping responses begin to arrive at 192.168.1= 0.3! > Victory! You know what! If I create a "pass out on $dmz..." rule, no rules on $inside are necessary any more. pfctl shows only *one* state, but this time it is sufficient: root@fw:~ # pfctl -vvs rules No ALTQ support in kernel ALTQ related functions disabled @0 pass in on vtnet1 all flags S/SA keep state [ Evaluations: 15 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 1262 State Creations: 0 ] @1 block return in on vtnet1 inet from any to 192.168.0.0/16 [ Evaluations: 1 Packets: 1 Bytes: 84 States: 0 = ] [ Inserted: uid 0 pid 1262 State Creations: 0 ] @2 pass out on vtnet1 all flags S/SA keep state [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 1262 State Creations: 0 ] root@fw:~ # root@fw:~ # pfctl -vvs states No ALTQ support in kernel ALTQ related functions disabled all icmp 192.168.10.3:63234 -> 172.16.1.10:63234 0:0 age 00:00:11, expires in 00:00:09, 11:11 pkts, 924:924 bytes, rule 2 id: 000000005de88142 creatorid: 68441fab root@fw:~ # Now 192.168.10.3 can ping 172.16.1.10 and receive echo replies, 172.16.1.10 cannot ping 192.168.10.3. Don't you think there is something non-trivial or even incorrect about the way states are evaluated? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd6IaDAAoJEA2k8lmbXsY0IYUIAIck74EMMDpv+vqoDpwxIE+I exMcI6MJ/D6p12cTQp5Vdbjnrsp74XQrDRxPyymzP+p36g6BpU/iLqmDGM8aFPWf gCDgBHLHlFxTJFhZ9WOXe5jGZdtL9iQu6lOcA6gI0tX5U0UaeHgmtuEla2P1Ro5N IA6AT5qKbCIjevd2dS7lvztDv61KvAuSrEtPsk/CoklmQHvQcsTYvK0yywXnVLER D3Q38daLFUV8JWQXbVJLVrhbNkkLe3Zm0/PuNtk+AzMIb8mqF3tRjZnYUPBV7abm W7hOtLhu1cb5J5exrojY/BSCZq1dCMw1TymBTfX2wQmz8lCklVsNXf1HDYwz1jM= =6yG1 -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191205042435.GA19962>