From owner-freebsd-pf@freebsd.org Mon Dec 2 14:59:29 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 18B731AC5C5 for ; Mon, 2 Dec 2019 14:59:29 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47RSv41mrvz3wks for ; Mon, 2 Dec 2019 14:59:27 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x52c.google.com with SMTP id cy15so24853330edb.4 for ; Mon, 02 Dec 2019 06:59:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=hHTBILDQLmyi8feFHsNafOTf99VO4ZtviPfX8kcCnX8=; b=cNssDQ2E940lV3+L8zMM2FcWdrN4dAN9uSBcX5boLKwzdlW6ojnHt9a+UDf6Wb5mmr zNZfxotlbK0/kZTflBcV5kfzPZoByU7mH7OXbIyZDtelZ2zIXXRnIcMPazQnKZgj4JHC fSQorhaxzb6RZ10U2Ti9ogEZXXNihhw7aDmJ4RQbYyOCYdwsCa1+Q5N/kTy/Le4fxtnz K9/qTTbue9XUSSamc+3a+/cl/9qM3tFWg3N/pEvrM72/R1+f/TDULkjgnGnSdJrxzzHB i3NLyU56gsj7hyn/Yb4734EmBc2Mx5TiAB9AczoZxfpUKcHSS8JuvnZfE2zsABkrCkGD mV9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=hHTBILDQLmyi8feFHsNafOTf99VO4ZtviPfX8kcCnX8=; b=LWk24VafVni24R10NH9N5DF/gYZSQWVeBNIaZOVMU3OmjILKw+khCJxXdbmpiQybVn xDBUxTBLo9nuRv3Lx/VK1Ge54F7a3GXV0IrzXIH+bJhJ2hFS/82CZGgYIRQM03/IXcJG 5crj96on5oehWJA8FVA/Km6LtsxlcPuPvvkL+j6WvAInK++tlJzBTIPR7zv9qd4g2VXK fBcordGOuoOzEPKNuqGyfOgKNADYFPfjSjHd+PhCr2rU/lbLqk4cnrIcLRSuDI4QOIVe 2ugznU8AGcp/mLevOsf5tkZ0nzne7x5ICOjPsS4Mcpdf89zq+C68wYVm47gNPzk7DKI9 teyA== X-Gm-Message-State: APjAAAXCIAw/Ge9Ja+Lzsa/VZBesgoofrYUNP8JspbWDkOqRrEO/M+7o 6zuCsDAZcNP/Lwz6kuRS2zKizgN0f1I= X-Google-Smtp-Source: APXvYqza7ECW1zXg2qwapB0baq7EhtjxSIWVeM1Dhv3czTAQbjyH+pJ/I2qA+5JsfaISZLbyL5iWoQ== X-Received: by 2002:a17:906:a950:: with SMTP id hh16mr4555655ejb.75.1575298763333; Mon, 02 Dec 2019 06:59:23 -0800 (PST) Received: from Proton.local ([2a00:1f78:fffb:1000:a5c3:87f2:2105:a730]) by smtp.gmail.com with ESMTPSA id cn26sm362867edb.83.2019.12.02.06.59.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Dec 2019 06:59:22 -0800 (PST) Subject: Re: pf's states To: freebsd-pf@freebsd.org References: <20191202025642.GA99174@admin.sibptus.ru> From: Kajetan Staszkiewicz Openpgp: preference=signencrypt Autocrypt: addr=vegeta@tuxpowered.net; keydata= mQGiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVoKA9c9Az6 e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZHzmmgVJMOg93lJUQ e9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQfnXRAMr4tFxhsFenxa/JCvFME AK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgVkNd6gTLMgSQpKbFytLzAAmRsE+EwVpBo sUzKt4vzmW4bllgPao14TyuVcViah27/da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuK ofwc1A6KucNxhv4rG7RsXuhwZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwts leIxJ3JdHaTZ9aIrYT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r 8ctqtAlcfzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oLQsS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD6IewQTEQIAOwYLCQgHAwIDFQID AxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJcD656BQkbAXUJAAoJEOO0 UK9tezoUnsIAoK89eXWiO7x3gkfC+5mDXNnRx6ioAKCy4NE/0s8vTDA/P3yYJ2r6orDDNLkB DQRC71cpEAQAjXEOKfj9O4eYTWcifEApMYzel9+aWmhNRqqUhJuNO40UDF73biRJ0cjd8miV hZGxcqIdjnZUmxn8Okr+ta7ZU4Q2KNw7B23VKd1jzDKalaUGtCbv8pnvFdBCJwwzdhHJ2vxr e7zkGMrU4x5Od/92YZRCgX229Ic8y7muveQty4sAAwYD/A/FKDQkIu16GVOu9g8ZBLLBi1HS h2eiem/efmfZS1APR7Q5Ouf6KJMeEgBCKY9yqEp9wg97Bt93oi3zP0H1I8rLmrj5hoEE/VEj Cc4XSQ3qrthmQ9bE8fPDZIgodPG1h+dlOzDQoUxKM/YZdbKmV8VkegbAmEng9rJk90gJ+7Qt iGMEGBEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXDcogwUJGzo2agAKCRDjtFCvbXs6 FNsqAJ9naj/37JF2c1HjhO/4xosKOtGX/QCgn5ADg8fykMSnWmIR0GO/xq9LEzs= Message-ID: <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> Date: Mon, 2 Dec 2019 15:59:21 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191202025642.GA99174@admin.sibptus.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dROpFXdnOibHxjLkOM25A2EYr9q12AHUI" X-Rspamd-Queue-Id: 47RSv41mrvz3wks X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=cNssDQ2E; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-7.45 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[tuxpowered.net]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[c.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-2.85)[ip: (-9.56), ipnet: 2a00:1450::/32(-2.69), asn: 15169(-1.94), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Dec 2019 14:59:29 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --dROpFXdnOibHxjLkOM25A2EYr9q12AHUI Content-Type: multipart/mixed; boundary="dYya6WJAZm50C03ztUDVdrmjkzbO9oXFa"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-pf@freebsd.org Message-ID: <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> Subject: Re: pf's states References: <20191202025642.GA99174@admin.sibptus.ru> In-Reply-To: <20191202025642.GA99174@admin.sibptus.ru> --dYya6WJAZm50C03ztUDVdrmjkzbO9oXFa Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 02.12.19 03:56, Victor Sudakov wrote: > Dear Colleagues, >=20 > I was asking this question on the freebsd-net mailing list, but I think= > it would be better to re-ask it here. >=20 > There is something I cannot understand about pf's notion of state.=20 >=20 > Consider this very simple example with two interfaces: >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > # DMZ 172.16.1.0/24 > pass in on $dmz > #block in on $dmz from any to 192.168.0.0/16 >=20 > # Inside 192.168.10.0/24 > pass in on $inside > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > While the "block ..." line is commented out, I can "telnet 172.16.1.10 = 80" from 192.168.10.3. For initial SYN of TCP connection from 192.168.10.3 to 172.16.1.10 rule evaluation looks like below. Returning SYN+ACK and all further packets will be matched against states. It is not possible with pf to skip matching to existing states. It's done in code before ruleset evaluation.= Your initial SYN is "in" on $inside and "out" on $dmz, correct? Rule 1 does not match this packet Rule 3 matches said packet, action is PASS > But when I uncomment the "block ..." line and restart pf, I cannot do > that any more. Why is that? Then it looks like this: Rule 1 does not match this packet Rule 2 does not match this packet Rule 3 matches said packet, action is PASS There should be no difference. Are you sure you're talking about connection from $inside to $dmz and that variables are not swapped? And are you sure you're making a new TCP connection and not just talking about the old one being terminated? Restarting pf (service pf restart) will terminate existing states. All existing tcp connections will either immediately reset or timeout, depending on other conditions. In most cases you don't want to restart pf but only apply new ruleset. Unless you want to restart. That depends on your security considerations because reloading new ruleset keeps existing sessions so even if you remove them from firewall, users connected before that over, let's say ssh, will still remain connected. > My idea was that the "pass in on $inside" creates state so that return > traffic from 172.16.1.10:80 to 192.168.10.3:xxxxx should be permitted, > but this is not happening It should be like this, yes. > so I must be wrong in my understaning how > state works. Please remember that pf on a router creates 2 states: one before routing, one after. Existing states and ruleset are evaluated twice. First state will be "in on $iface1" and the other "out on $iface2". Both states might be created by same rule if you don't provide "on $iface" in rule and only operate on IP addresses. The last thing I would like to point out is that your firewall lacks final blocking rule. Designing firewalls by mixing passes and blocks is generally a bad idea. It's way safer to provide a single blocking rule for all traffic on all interfaces and then allow only some subsets of traffic. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --dYya6WJAZm50C03ztUDVdrmjkzbO9oXFa-- --dROpFXdnOibHxjLkOM25A2EYr9q12AHUI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXeUmyQAKCRDjtFCvbXs6 FJ5HAJ9oBmKfZhimqxtVWBGVBsQcIhTzUQCg435oHpYJr5k/JRYwbdahlRXkOgQ= =nx+s -----END PGP SIGNATURE----- --dROpFXdnOibHxjLkOM25A2EYr9q12AHUI--