Date: Tue, 3 Dec 2019 10:49:03 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203034903.GA33853@admin.sibptus.ru> In-Reply-To: <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
--ikeVEW9yuYc//A+q Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Morgan Wesstr=F6m wrote: > >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >>> # DMZ 172.16.1.0/24 > >>> pass in on $dmz > >>> #block in on $dmz from any to 192.168.0.0/16 > >>> > >>> # Inside 192.168.10.0/24 > >>> pass in on $inside > >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >>> > >>> While the "block ..." line is commented out, I can "telnet 172.16.1.1= 0 80" from 192.168.10.3. > >> > >> Rule 1 does not match this packet > >> Rule 3 matches said packet, action is PASS >=20 > The pass directive creates a state when only SYN is set out of SYN and=20 > ACK as per the manual page. It does NOT create a state when both SYN and= =20 > ACK is set simultaneously as in your initial reply from the telnet=20 > server.=20 Do you mean to say that a state checks not only address:port pairs, but also TCP flags? This is a new notion for me. What would be a "pass" rule to create a "catch all" state with no regard for TCP flags? > Afaik a pass rule only creates state on the interface it=20 > monitors.=20 I'm afraid this is an incorrect assumption.=20 > I did not recreate your setup to check this though. But this=20 > is what should happen: >=20 > With rule 2 remarked: >=20 > - Your initial telnet SYN will create state on $inside through rule 3. > - There should be no state created on $dmz. I'm afraid this is an incorrect assumption. According to man pf.conf, by default "state-policy=3Dfloating" and state is not bound to interfaces. The output of "pfctl -s state" does not indicate any interfaces either, just protocols, addresses and ports. =20 --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5dsvAAoJEA2k8lmbXsY01QwH/3LLeE8i3+1A+dkThQgk+u+W ImFtVbJy/tS2WmT6tZMnm8KAPzRbIH6izkQAdYfmgjrezykh7mnRTL40H0GR8X+k I2H2EiTtYdMzDfaZyEIR+VXO3am1UZMr8vCHDjCSBU9qXgl9TqGSPczTE7ix+CuQ t7JM9Wziklb/w+vtw5MQpG9D05S2rZKlxe0FRcjF1vFt1cOU4XVxMcxBHEBgoGgs 8QNC8ZmcPvGBqXdKkCMesXCMlS8EUVYVsbjTYOMXPJZtpc7OMKTqrfY5lSapFNoZ +YF98jdYFvPvPdE73rZz2oMCvHLox4UaCDE20hgtk625RLmhlzNa5EAg+nyPoZI= =o0Vn -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191203034903.GA33853>