Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Feb 2008 23:02:08 -0500
From:      "Vadym Chepkov" <vchepkov@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: floating keep state
Message-ID:  <1635d77d0802272002w6aaaa0ect164a64e136b969f5@mail.gmail.com>
In-Reply-To: <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com>
References:  <1635d77d0802271143u2aeb0b13we310ea1a611afaa8@mail.gmail.com> <6e6841490802271310o3e5976a4gef2cb507087c01b@mail.gmail.com> <1635d77d0802271346g4cf02b8et8bc74d16f6e97e45@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I created a lab configuration with the minimum settings

dns server has ip 10.10.10.1
client has ip 10.10.11.254
between them is 6.3-RELEASE-p1 with 10.10.10.6 and 10.10.11.1 interfaces

here is /etc/pf.conf

set block-policy return
set state-policy floating
pass in log quick proto udp from any to 10.10.10.1 port domain keep state
block in log from any to 10.10.11.254

Now I make nslookup on the client, here is the output of tcpdump -n -l
-e -i pflog0

22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
10.10.10.1.53:  45616+[|domain]
22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
10.10.11.254.32772:  45616*-[|domain]

State is
#pfctl -ss
self udp 10.10.10.1:53 <- 10.10.11.254:32772       NO_TRAFFIC:SINGLE

My question is, why the reply packet was blocked?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1635d77d0802272002w6aaaa0ect164a64e136b969f5>