Date: Tue, 3 Dec 2019 13:44:27 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203064427.GA36581@admin.sibptus.ru> In-Reply-To: <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Here is some output from the real lab (the hosts fw.test, inside.test and dmz.test are all FreeBSD VMs now). Any comments? Why does the state in the second case look so odd? root@fw:~ # cat /etc/rc.conf.local hostname=3D"fw.test" ifconfig_vtnet0=3D"DHCP description Outside" ifconfig_vtnet1=3D"172.16.1.1/24 description DMZ" ifconfig_vtnet2=3D"192.168.10.1/24 description Inside" pf_enable=3D"YES" gateway_enable=3D"YES" root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:41985 ESTABLISHED:ESTABLISHED root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... Connected to dmz.test. Escape character is '^]'. SSH-2.0-OpenSSH_7.5 FreeBSD-20170903 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D and here we enable the "bl= ock ..." rule =3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D root@fw:~ # pfctl -s rules pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state root@fw:~ # root@fw:~ # pfctl -s states all tcp 172.16.1.10:22 <- 192.168.10.3:50565 CLOSED:SYN_SENT root@fw:~ # root@inside:~ # telnet dmz.test 22 Trying 172.16.1.10... telnet: connect to address 172.16.1.10: Operation timed out telnet: Unable to connect to remote host --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5gRLAAoJEA2k8lmbXsY01wEH/RM9StGVwgg4nJChApPY63IE J6r13h0fL85uDE+oFM/5AQtkaX7PQa4Rqb6TMozV0eV60skFlvX0Fyzio3svurWj f/r2hQtgQKkgNdGv93qVxNuATKzmOM8RzF4l/cPu0sS+N5iOMXvmSNxQpObFyw5e HG8OFwMqpuJ8Zhrzir03JSch/wc0AVkDYkCAtAb7nJvu4A3pOB073Hv48g3PnRr4 1COanDOlJ9IsAwpL8hqZqOx6mkb9cl1bbN99ta5p+x+BlHaIu0bJ5iO3jyzH32dU ST1/hi9asUoZSH8AasGIMcLGzhjzkzh/D5F5eVGr5fQaszGLt52K1gF1dZV680E= =E2+n -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191203064427.GA36581>