Date: Thu, 16 Sep 2004 04:02:58 -0000 From: Mario Doria <madd@tecdigital.net> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Doubt about modulate state Message-ID: <200403222230.57272.madd@tecdigital.net>
next in thread | raw e-mail | index | archive | help
Hi all, I was reading a pf ruleset example at http://www.openbsd.org/faq/pf/example1.html when I noticed this: (1) pass in =3DA0on $int_if from $int_if:network to any keep state (2) pass out on $int_if from any to $int_if:network keep state (3) pass out on $ext_if proto tcp all modulate state flags S/SA (4) pass out on $ext_if proto { udp, icmp } all keep state $int_if is the internal interface. $ext_if is the external interface. As I understand it, the rule (1) allows the internal network to communica= te=3D to=3D20 the firewall and to the outside world. Rule (2) lets the firewall talk to the internal network. Rule (3) lets traffic going out (tcp), but pf is first going to use a high quality random sequence number for each connection.=3D20 Rule (4) lets protocols udp and icmp go out on the external interface. Now the problem I see is: from the pf.conf(5) man page: "There are two caveats associated with state modulation: A modulate state= r=3D ule=3D20 can not be applied to a pre-existing but unmodulated connection. =3DA0 =3DA0 =3DA0Such an application would desynchronize TCP's strict seq= uencing =3D between=3D20 the two endpoints. =3DA0Instead, pf(4) will treat the modulate state modi= fier=3D as=3D20 a keep state modifier and the pre-existing connection will be inferred=3D= 20 without the protection conferred by modulation." So, here rule (1) is the first rule that sees the connections coming from= t=3D he=3D20 internal interface, and if you're doing NAT on the firewall, when your=3D= 20 packets go out to the world using rule (3), they would not benefit from t= he=3D =3D20 modulate keyword. pf would treat the connection as a previously existing=3D= 20 connection and then it wouldn't be able to apply the modulate keyword. I don't know if this is correct, I'm having doubts because I found thisexample on the "official" FAQ for PF. Can anyone help me please? Mario
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403222230.57272.madd>