From owner-freebsd-questions@FreeBSD.ORG Tue Sep 26 17:35:22 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC48416A40F for ; Tue, 26 Sep 2006 17:35:22 +0000 (UTC) (envelope-from peter.schuller@infidyne.com) Received: from hyperion.scode.org (hyperion.scode.org [85.17.42.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10D0D43D55 for ; Tue, 26 Sep 2006 17:35:19 +0000 (GMT) (envelope-from peter.schuller@infidyne.com) Received: from localhost (www.scode.org [85.17.42.115]) by hyperion.scode.org (Postfix) with ESMTP id 7EE7523947E; Tue, 26 Sep 2006 19:35:12 +0200 (CEST) From: Peter Schuller To: Matthew Seaman Date: Tue, 26 Sep 2006 19:35:08 +0200 User-Agent: KMail/1.9.3 References: <200609240036.12322.peter.schuller@infidyne.com> <45164C0C.5010406@infracaninophile.co.uk> In-Reply-To: <45164C0C.5010406@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200609261935.09003.peter.schuller@infidyne.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf + ipv6 + keep state - any known issues? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2006 17:35:23 -0000 > Are you using antispoofing rules on your external interface? If you've got > something like this in your ruleset: > > antispoof log quick for $ext_if > > Then it will expand into a series of rules containing the following when > you load them: Thank you for responding! No, this is not the issue. I *am* performing antispoof on my physical interface, but not on the tunnel interface. After some further investigation my current theory is that I have run into the trouble with pf and a packet traversing an interface twice. Having a 'keep state' on the *incoming* direction results in a state entry according to pfctl. But no state entry for the 'keep state' in the outgoing direction. The result being that while packets coming into port 22 are allowed and state set up, but the responding packets (to some random source port) are NOT allowed because the outgoing direction yielded no state entry. I am not sure what the behavior is supposed to be with a packet traversing the same interface twice, except I have seen references to the effect of "don't be stupid, don't do that, get another NIC" (for the typical firewall/gateway case). Except in this case that does not apply, even if you agree with the sentiment to begin with. Can anyone confirm or deny whether "double" traversal *IS* supposed to work without difficulties/special cases on current versions of pf/FreeBSD? Thanks! -- / Peter Schuller, InfiDyne Technologies HB PGP userID: 0xE9758B7D or 'Peter Schuller ' Key retrieval: Send an E-Mail to getpgpkey@scode.org E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org